View Full Version : search redirects
RonG1966
2012-07-24, 23:47
I have been getting redirects when when I try to connect to sites I've searched for, mainly using Bing. A new window will open, and there will either be a page with websites pertaining to my search or a totally different site. Malwarebytes has detected Trojan.BHO a couple of times in the past ten days and Microsoft Security Essentials found Trojan:JS/Tadtruss.A a couple of times last week. Here is my dds.
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dr. Gioe at 8:10:29.06 on Sat 05/07/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2497 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
c:\drivers\audio\r215959\STacSV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dentrix\DtxQuickLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Dr. Gioe\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [DtxQuickLaunch.exe] c:\program files\dentrix\DtxQuickLaunch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249672030562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl3f3efc35;MpKsl3f3efc35;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fab654ed-7e03-4769-8a9a-6db0a7609ec2}\MpKsl3f3efc35.sys [2011-5-7 28752]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-1 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-1 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [2009-8-1 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-8-1 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-8-1 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-1 160256]
S1 MpKsl310b55a1;MpKsl310b55a1;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920974b3-3a24-47d7-972f-4692d66a6fa0}\mpksl310b55a1.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{920974b3-3a24-47d7-972f-4692d66a6fa0}\MpKsl310b55a1.sys [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-8-1 1656960]
.
=============== Created Last 30 ================
.
2011-05-07 12:46:44 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fab654ed-7e03-4769-8a9a-6db0a7609ec2}\MpKsl3f3efc35.sys
2011-05-06 21:23:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-05-06 19:20:05 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fab654ed-7e03-4769-8a9a-6db0a7609ec2}\mpengine.dll
2011-05-06 00:10:25 -------- d-----w- c:\docume~1\drf276~1.gio\applic~1\Malwarebytes
2011-05-06 00:10:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-06 00:10:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-06 00:10:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-06 00:10:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-05 19:00:35 -------- d-----w- c:\windows\pss
2011-05-05 16:08:29 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-05 16:08:29 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-05 14:59:39 0 ----a-w- c:\windows\Ofifowohone.bin
2011-05-05 14:59:38 -------- d-----w- c:\docume~1\drf276~1.gio\locals~1\applic~1\{742691D9-9EDD-43EC-A981-5E7680982CD1}
2011-05-05 14:58:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\cH31000FlEgA31000
2011-04-15 13:08:06 -------- d-----w- c:\windows\ServicePackFiles
2011-04-14 08:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27:43 1866880 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
RonG1966
2012-07-25, 01:20
Sorry, I posted and old dds file from last year. Here is the new one.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Dr. Gioe at 17:13:42 on 2012-07-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2475 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r215959\STacSV.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dentrix\DtxQuickLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [DtxQuickLaunch.exe] c:\program files\dentrix\DtxQuickLaunch.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PowerDVD DX] rundll32.exe "c:\documents and settings\dr. gioe\local settings\application data\secunia psi\powerdvd dx\linjr.dll",CreateInstance
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [PowerDVD DX] rundll32.exe "c:\documents and settings\dr. gioe\local settings\application data\secunia psi\powerdvd dx\linjr.dll",CreateInstance
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249672030562
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{99D6E85F-BC24-4E22-8C7B-0FD7C318C9A7} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 171064]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-1 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-8-1 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [2009-8-1 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-8-1 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-8-1 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-1 160256]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-8-1 1656960]
.
=============== Created Last 30 ================
.
2012-07-24 19:52:11 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{47acff87-6e89-4722-994f-16083d1af00d}\mpengine.dll
2012-07-24 17:55:54 6891424 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-16 22:04:23 98816 ----a-w- c:\windows\sed.exe
2012-07-16 22:04:23 518144 ----a-w- c:\windows\SWREG.exe
2012-07-16 22:04:23 256000 ----a-w- c:\windows\PEV.exe
2012-07-16 22:04:23 208896 ----a-w- c:\windows\MBR.exe
.
==================== Find3M ====================
.
2012-07-03 18:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:29:09 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:24:46 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41:08 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 17:15:11.10 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
Sorry for the delay :red:
Most times redirects are the result of a rootkit type of infection, lets check
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
RonG1966
2012-07-30, 15:48
ken545,
Thanks for your help. The first time that I ran aswMBR there was a hightlighted yellow line during the scan, and I got an error message saying that the program had to shutdown. I ran it again in safe mode with networking.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-30 07:41:56
-----------------------------
07:41:56.718 OS Version: Windows 5.1.2600 Service Pack 3
07:41:56.718 Number of processors: 2 586 0x170A
07:41:56.718 ComputerName: D991PWJ1 UserName: Dr. Gioe
07:41:57.531 Initialize success
07:42:02.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:42:02.062 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
07:42:02.093 Disk 0 MBR read successfully
07:42:02.109 Disk 0 MBR scan
07:42:02.109 Disk 0 unknown MBR code
07:42:02.125 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
07:42:02.140 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 295204 MB offset 81920
07:42:02.171 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 9993 MB offset 604670535
07:42:02.187 Disk 0 scanning sectors +625137345
07:42:02.281 Disk 0 scanning C:\WINDOWS\system32\drivers
07:42:08.468 Service scanning
07:42:25.625 Modules scanning
07:42:29.375 Disk 0 trace - called modules:
07:42:29.421 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
07:42:29.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a13a030]
07:42:29.468 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a15a028]
07:42:29.500 Scan finished successfully
07:42:54.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dr. Gioe\Desktop\MBR.dat"
07:42:54.546 The log file has been saved successfully to "C:\Documents and Settings\Dr. Gioe\Desktop\aswMBR.txt"
Lets check your Master Boot Record
Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
Also run Malwarebytes and lets see what it comes up with
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
RonG1966
2012-07-30, 19:35
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c
Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9E53000 iaStor.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E33000 fltMgr.sys
0xB9E21000 sr.sys
0xB9DF9000 MpFilter.sys
0xBA0F8000 PxHelp20.sys
0xB9DE2000 KSecDD.sys
0xB9D55000 Ntfs.sys
0xB9D28000 NDIS.sys
0xB9D0E000 Mup.sys
0xB89FE000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB89EA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB89C6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB899E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB884A000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xB8803000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xB87D0000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB8755000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA428000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA430000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA308000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8732000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA438000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xBA574000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xBA578000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xBA318000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA73D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA118000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB871B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA128000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA138000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA440000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB870A000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA148000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA448000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA450000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB86DA000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA158000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5F0000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB867C000 \SystemRoot\system32\DRIVERS\update.sys
0xB8FD3000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA268000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA628000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA5BE8000 \SystemRoot\system32\drivers\sthda.sys
0xA5BC4000 \SystemRoot\system32\drivers\portcls.sys
0xA7DF1000 \SystemRoot\system32\drivers\drmk.sys
0xA5BA8000 \SystemRoot\system32\drivers\AESTAud.sys
0xA5B85000 \??\C:\WINDOWS\system32\Drivers\OA009Afx.sys
0xA6B48000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA66A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xA5D6C000 \SystemRoot\System32\Drivers\Null.SYS
0xBA66C000 \SystemRoot\System32\Drivers\Beep.SYS
0xA7363000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA735B000 \SystemRoot\System32\drivers\vga.sys
0xBA66E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5AE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA7353000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA734B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA6B40000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA518B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA5132000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA510A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA50E4000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xA6B30000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xA50C2000 \SystemRoot\System32\drivers\afd.sys
0xA616F000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA5097000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA615F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xA5027000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA5B6B000 \SystemRoot\System32\Drivers\Fips.SYS
0xA5F7B000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0x9F477000 \SystemRoot\System32\Drivers\RTS5121.sys
0xA2291000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x96F25000 \SystemRoot\system32\DRIVERS\OA009Vid.sys
0x96F01000 \SystemRoot\system32\DRIVERS\OA009Ufd.sys
0x96EDD000 \SystemRoot\system32\DRIVERS\CtClsFlt.sys
0x986FB000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x96E0D000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0x984BC000 \SystemRoot\System32\drivers\Dxapi.sys
0x98ED6000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0x9814D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF058000 \SystemRoot\System32\igxpdv32.DLL
0xBF297000 \SystemRoot\System32\igxpdx32.DLL
0xBF5E4000 \SystemRoot\System32\ATMFD.DLL
0xBA208000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xBA218000 \SystemRoot\system32\DRIVERS\atmarpc.sys
0xB9CCA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x96D90000 \SystemRoot\system32\drivers\wdmaud.sys
0x986DB000 \SystemRoot\system32\drivers\sysaudio.sys
0x96B76000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x96A9E000 \SystemRoot\system32\DRIVERS\srv.sys
0x96145000 \SystemRoot\System32\Drivers\HTTP.sys
0x93B94000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 56):
0 System Idle Process
4 System
816 C:\WINDOWS\system32\smss.exe
864 csrss.exe
888 C:\WINDOWS\system32\winlogon.exe
932 C:\WINDOWS\system32\services.exe
944 C:\WINDOWS\system32\lsass.exe
1096 C:\WINDOWS\system32\svchost.exe
1176 svchost.exe
1216 C:\Program Files\Microsoft Security Client\MsMpEng.exe
1252 C:\WINDOWS\system32\svchost.exe
1344 svchost.exe
1424 svchost.exe
1680 C:\WINDOWS\system32\WLTRYSVC.EXE
1692 C:\WINDOWS\system32\BCMWLTRY.EXE
1740 C:\WINDOWS\system32\spoolsv.exe
1808 C:\drivers\audio\R215959\stacsv.exe
388 svchost.exe
480 C:\Program Files\Bonjour\mDNSResponder.exe
520 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
560 C:\Program Files\Java\jre6\bin\jqs.exe
652 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
764 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1452 C:\WINDOWS\explorer.exe
1464 C:\WINDOWS\system32\svchost.exe
1544 C:\WINDOWS\system32\rundll32.exe
2112 C:\WINDOWS\system32\searchindexer.exe
2784 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2812 C:\WINDOWS\system32\igfxpers.exe
2820 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
2828 C:\Program Files\Microsoft Security Client\msseces.exe
2852 C:\Program Files\iTunes\iTunesHelper.exe
2876 C:\WINDOWS\system32\igfxsrvc.exe
2904 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2936 C:\WINDOWS\system32\hkcmd.exe
2972 C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
3060 C:\Program Files\Dell\QuickSet\quickset.exe
3256 wmiprvse.exe
3300 C:\WINDOWS\system32\WLTRAY.EXE
3320 C:\Program Files\DellTPad\Apoint.exe
3364 C:\Program Files\DellTPad\ApMsgFwd.exe
3372 C:\Program Files\Dentrix\DtxQuickLaunch.exe
3380 C:\WINDOWS\system32\ctfmon.exe
3388 C:\WINDOWS\system32\rundll32.exe
3420 C:\Program Files\DellTPad\hidfind.exe
3428 C:\Program Files\DellTPad\ApntEx.exe
3504 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
3528 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
3824 C:\Program Files\iPod\bin\iPodService.exe
3912 alg.exe
912 C:\Program Files\Internet Explorer\iexplore.exe
3252 C:\Program Files\Internet Explorer\iexplore.exe
3024 C:\WINDOWS\system32\wscntfy.exe
2452 C:\WINDOWS\system32\searchprotocolhost.exe
3296 searchfilterhost.exe
2240 C:\Documents and Settings\Dr. Gioe\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02800000 (NTFS)
PhysicalDrive0 Model Number: WDCWD3200BEVT-75ZCT2, Rev: 11.01A11
Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: FEA788F8B8DE9383212521CD72B531C4A4BD3942
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
RonG1966
2012-07-30, 19:36
Malwarebytes found three problems and advised me to urgently restart after it fixed the problems.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.24.11
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dr. Gioe :: D991PWJ1 [administrator]
7/30/2012 11:21:42 AM
mbam-log-2012-07-30 (11-21-42).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231268
Time elapsed: 7 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Documents and Settings\Dr. Gioe\Local Settings\temp\0.13455140202614135 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Gioe\Local Settings\temp\0.28489533335452755 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Gioe\Local Settings\temp\0.6889053770138498 (Trojan.BHO) -> Quarantined and deleted successfully.
(end)
This doesn't necessarily mean its infected, we will try a few other things and if they don't work then we will address the MBR
Looks like we crossed posts
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now
Copy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)
RonG1966
2012-07-30, 20:02
The log is too long to post.
Right click on the file and zip it and then attach it to this thread
RonG1966
2012-07-30, 20:32
Here you go.
OK, thanks, it looks fine
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
RonG1966
2012-07-30, 20:47
OTL Extras logfile created on: 7/30/2012 12:41:09 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\Dr. Gioe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.96 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 82.44% Memory free
4.80 Gb Paging File | 4.38 Gb Available in Paging File | 91.24% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.29 Gb Total Space | 268.35 Gb Free Space | 93.09% Space Free | Partition Type: NTFS
Computer Name: D991PWJ1 | User Name: Dr. Gioe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Dell Video Chat\DellVideoChat.exe" = C:\Program Files\Dell Video Chat\DellVideoChat.exe:*:Enabled:Dell Video Chat -- (Dell Inc. and SightSpeed Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Disabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Professional
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
"{0700E22B-A422-40A5-BD20-04BF618CA0F9}" = QuickBooks Pro 2010
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{2B4C7E1E-E446-4740-ADB5-9842E742EE8A}" = Windows Live Toolbar
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DB57446-B8FE-46E5-98D4-396F50C490BA}" = Dentrix 11.0
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD DX
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{91208A47-5D08-4C79-986F-1931940F51BB}" = QuickBooks Product Listing Service
"{91F46910-E6C9-44E1-8FA2-8D314BD2592C}" = Dentrix Practice Assistant
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9E1BAB75-EB78-440D-94C0-A3857BE2E733}" = System Requirements Lab
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
"{AF32C7FA-C218-406A-A520-536A8C148830}" = Appointment Book
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B7DBF6E8-0D17-4BE4-853B-ACD6EFBD4A1F}" = iTunes
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Broadcom 802.11 Application" = Dell Wireless WLAN Card Utility
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OA009" = Integrated Webcam Driver (1.01.01.1007)
"Dell Video Chat" = Dell Video Chat
"Dell Webcam Central" = Dell Webcam Central
"GoToAssist" = GoToAssist 8.0.0.514
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{4DB57446-B8FE-46E5-98D4-396F50C490BA}" = Dentrix 11.0
"InstallShield_{91F46910-E6C9-44E1-8FA2-8D314BD2592C}" = Dentrix Practice Assistant
"InstallShield_{AF32C7FA-C218-406A-A520-536A8C148830}" = Appointment Book
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
========== Last 20 Event Log Errors ==========
[ Application Events ]
Error - 7/27/2012 11:21:05 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/27/2012 11:21:05 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:24:41 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:24:41 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:24:41 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:31:29 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:31:29 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:31:29 AM | Computer Name = D991PWJ1 | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand
Error - 7/30/2012 8:36:57 AM | Computer Name = D991PWJ1 | Source = Application Error | ID = 1000
Description = Faulting application aswmbr.exe, version 0.9.9.1665, faulting module
aswmbr.exe, version 0.9.9.1665, fault address 0x00049128.
Error - 7/30/2012 8:38:18 AM | Computer Name = D991PWJ1 | Source = Application Error | ID = 1000
Description = Faulting application aswmbr.exe, version 0.9.9.1665, faulting module
aswmbr.exe, version 0.9.9.1665, fault address 0x00005b96.
[ System Events ]
Error - 7/26/2012 3:10:49 PM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
Error - 7/26/2012 3:18:48 PM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
Error - 7/27/2012 8:26:26 AM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
Error - 7/30/2012 8:16:22 AM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
Error - 7/30/2012 8:41:51 AM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
APPDRV Fips intelppm MpFilter
Error - 7/30/2012 8:41:58 AM | Computer Name = D991PWJ1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 7/30/2012 8:42:50 AM | Computer Name = D991PWJ1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 7/30/2012 8:43:10 AM | Computer Name = D991PWJ1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
Error - 7/30/2012 8:43:55 AM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
Error - 7/30/2012 12:32:32 PM | Computer Name = D991PWJ1 | Source = Service Control Manager | ID = 7000
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058
< End of report >
RonG1966
2012-07-30, 20:48
OTL logfile created on: 7/30/2012 12:41:09 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\Dr. Gioe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.96 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 82.44% Memory free
4.80 Gb Paging File | 4.38 Gb Available in Paging File | 91.24% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.29 Gb Total Space | 268.35 Gb Free Space | 93.09% Space Free | Partition Type: NTFS
Computer Name: D991PWJ1 | User Name: Dr. Gioe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - c:\drivers\audio\R215959\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dentrix\DtxQuickLaunch.exe ( )
========== Modules (No Company Name) ==========
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_0644e203\system.drawing.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f8595151\system.windows.forms.dll ()
MOD - c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_2c6d171e\mscorlib.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_f4091cf8\system.dll ()
MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()
MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Dell\QuickSet\dadkeyb.dll ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Dell\QuickSet\preflibcl.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
========== Win32 Services (SafeList) ==========
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (STacSV) -- c:\drivers\audio\R215959\stacsv.exe (IDT, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\DRF276~1.GIO\LOCALS~1\Temp\catchme.sys File not found
DRV - (MpKsl3724a2c6) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\MpKsl3724a2c6.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (MonFilt) -- C:\WINDOWS\system32\drivers\MonFilt.sys (Creative Technology Ltd.)
DRV - (AMBFilt) -- C:\WINDOWS\system32\drivers\AMBFilt.sys (Creative)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (RSUSBSTOR) -- C:\WINDOWS\system32\drivers\RTS5121.sys (Realtek Semiconductor Corp.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (CtClsFlt) -- C:\WINDOWS\system32\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV - (OA009Ufd) -- C:\WINDOWS\system32\drivers\OA009Ufd.sys (Creative Technology Ltd.)
DRV - (OA009Vid) -- C:\WINDOWS\system32\drivers\OA009Vid.sys (Creative Technology Ltd.)
DRV - (OA009Afx) -- C:\WINDOWS\system32\drivers\OA009Afx.sys (Creative Technology Ltd.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes\{8458547F-A473-47B6-8A52-02C95BA4C3E4}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks [2010/01/31 20:36:32 | 000,000,000 | ---D | M]
[2011/05/05 19:20:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
O1 HOSTS File: ([2012/07/19 11:38:54 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\.DEFAULT..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005..\Run: [DtxQuickLaunch.exe] C:\Program Files\Dentrix\DtxQuickLaunch.exe ( )
O4 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab (DLM Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249672030562 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{99D6E85F-BC24-4E22-8C7B-0FD7C318C9A7}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/07/30 12:38:36 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe
[2012/07/30 07:35:56 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dr. Gioe\Desktop\aswMBR.exe
[2012/07/25 20:02:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2012/07/24 14:49:15 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\dds.scr
[2012/07/24 13:22:36 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr. Gioe\Desktop\TDSSKiller.exe
[2012/07/20 14:09:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/07/16 17:04:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/16 17:04:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/16 17:04:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/16 17:04:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/16 17:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/16 17:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller
[2012/07/16 17:01:56 | 004,582,475 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\ComboFix.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2012/07/30 12:38:43 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe
[2012/07/30 12:32:44 | 000,003,359 | ---- | M] () -- C:\WINDOWS\dentrix.ini
[2012/07/30 12:30:42 | 000,033,038 | ---- | M] () -- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
[2012/07/30 11:48:43 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr. Gioe\Desktop\TDSSKiller.exe
[2012/07/30 11:47:37 | 002,117,108 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller.zip
[2012/07/30 11:42:31 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/07/30 11:32:35 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/30 11:32:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/30 11:32:25 | 3181,756,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/30 11:15:09 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBRCheck.exe
[2012/07/30 07:42:54 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBR.dat
[2012/07/30 07:35:59 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dr. Gioe\Desktop\aswMBR.exe
[2012/07/27 10:20:45 | 000,004,123 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\940-2q2012.pdf
[2012/07/25 20:02:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/07/24 17:19:47 | 000,004,095 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\attach.zip
[2012/07/24 15:04:11 | 000,004,769 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\Attach.zip
[2012/07/24 14:49:28 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\dds.scr
[2012/07/23 15:37:07 | 000,572,654 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\dcc-2650.pdf
[2012/07/19 11:38:54 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/07/19 11:31:34 | 004,582,475 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\ComboFix.exe
[2012/07/18 08:45:21 | 000,000,537 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941nov2011.lnk
[2012/07/16 16:40:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/13 10:26:06 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/12 15:42:49 | 000,004,115 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941june2012.pdf
[2012/07/12 07:24:55 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/11 16:21:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/11 12:47:59 | 000,421,276 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\867.pdf
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
========== Files Created - No Company Name ==========
[2012/07/30 12:30:42 | 000,033,038 | ---- | C] () -- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
[2012/07/30 11:47:35 | 002,117,108 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller.zip
[2012/07/30 11:14:37 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBRCheck.exe
[2012/07/30 07:43:46 | 3181,756,416 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/30 07:42:54 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBR.dat
[2012/07/27 10:20:45 | 000,004,123 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\940-2q2012.pdf
[2012/07/24 17:19:47 | 000,004,095 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\attach.zip
[2012/07/23 15:37:07 | 000,572,654 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\dcc-2650.pdf
[2012/07/16 17:04:23 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/16 17:04:23 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/16 17:04:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/16 17:04:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/16 17:04:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/16 16:37:26 | 000,002,111 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/07/16 16:37:26 | 000,001,789 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/07/16 16:37:26 | 000,001,727 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2012/07/12 15:42:49 | 000,004,115 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941june2012.pdf
[2012/07/11 12:47:59 | 000,421,276 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\867.pdf
[2012/05/09 16:51:37 | 000,739,816 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/04/24 09:02:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DocCenter.INI
[2012/02/15 08:26:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/05/06 18:35:45 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\settings.dat
[2011/05/06 08:04:55 | 000,000,091 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/05/05 19:13:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/05 09:59:39 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bkaduyokuyepe.dat
[2010/02/17 13:47:29 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Application Data\wklnhst.dat
[2009/09/10 15:38:10 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/07 08:32:05 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\fusioncache.dat
========== LOP Check ==========
[2009/08/01 06:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Windows Desktop Search
[2011/02/24 10:57:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems
[2009/08/06 19:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/05/06 16:24:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/05/23 14:37:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nuance
[2011/10/18 12:06:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCDr
[2011/02/15 13:46:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pFcFcAe08200
[2010/05/23 14:43:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 11
[2009/08/01 06:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2012/01/05 08:54:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/08/01 06:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cheri\Application Data\Windows Desktop Search
[2012/07/20 14:09:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cheri\Application Data\Windows Search
[2009/08/01 06:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Windows Desktop Search
[2010/12/17 08:59:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Gioe\Application Data\PCDr
[2010/02/17 13:47:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Gioe\Application Data\Template
[2009/08/01 06:55:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Gioe\Application Data\Windows Desktop Search
[2009/08/06 18:13:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dr. Gioe\Application Data\Windows Search
========== Purity Check ==========
< End of report >
Nothing out of the ordinary on your log, lets run this script that will restore your hosts file to Microsoft default and flush out your DNS Cache
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
:Services
:Reg
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
RonG1966
2012-07-30, 21:06
All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Dr. Gioe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Dr. Gioe\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 321 bytes
User: All Users
User: Cheri
->Temp folder emptied: 180148 bytes
->Temporary Internet Files folder emptied: 15863152 bytes
->Flash cache emptied: 57028 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56787 bytes
User: Dr. Gioe
->Temp folder emptied: 245317 bytes
->Temporary Internet Files folder emptied: 108144551 bytes
->Java cache emptied: 9382354 bytes
->Flash cache emptied: 57262 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1425542 bytes
->Flash cache emptied: 3927 bytes
User: NetworkService
->Temp folder emptied: 70802 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 11869 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 804663 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 12646554 bytes
Total Files Cleaned = 142.00 mb
OTL by OldTimer - Version 3.2.55.0 log created on 07302012_130153
Files\Folders moved on Reboot...
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
RonG1966
2012-07-30, 21:13
OTL logfile created on: 7/30/2012 1:07:12 PM - Run 2
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Documents and Settings\Dr. Gioe\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.96 Gb Total Physical Memory | 2.44 Gb Available Physical Memory | 82.45% Memory free
4.80 Gb Paging File | 4.37 Gb Available in Paging File | 90.90% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.29 Gb Total Space | 268.51 Gb Free Space | 93.14% Space Free | Partition Type: NTFS
Computer Name: D991PWJ1 | User Name: Dr. Gioe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
PRC - c:\drivers\audio\R215959\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dentrix\DtxQuickLaunch.exe ( )
========== Modules (No Company Name) ==========
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_0644e203\system.drawing.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_f8595151\system.windows.forms.dll ()
MOD - c:\windows\assembly\gac\system.drawing\1.0.5000.0__b03f5f7f11d50a3a\system.drawing.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_2c6d171e\mscorlib.dll ()
MOD - c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_f4091cf8\system.dll ()
MOD - c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll ()
MOD - c:\windows\assembly\gac\system.windows.forms\1.0.5000.0__b77a5c561934e089\system.windows.forms.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\Dell\QuickSet\dadkeyb.dll ()
MOD - C:\WINDOWS\system32\preflib.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()
MOD - C:\Program Files\Dell\QuickSet\preflibcl.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
========== Win32 Services (SafeList) ==========
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)
SRV - (STacSV) -- c:\drivers\audio\R215959\stacsv.exe (IDT, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
========== Driver Services (SafeList) ==========
DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\DRF276~1.GIO\LOCALS~1\Temp\catchme.sys File not found
DRV - (MpKsl3724a2c6) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\MpKsl3724a2c6.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (MonFilt) -- C:\WINDOWS\system32\drivers\MonFilt.sys (Creative Technology Ltd.)
DRV - (AMBFilt) -- C:\WINDOWS\system32\drivers\AMBFilt.sys (Creative)
DRV - (AESTAud) -- C:\WINDOWS\system32\drivers\AESTAud.sys (Andrea Electronics Corporation)
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (RSUSBSTOR) -- C:\WINDOWS\system32\drivers\RTS5121.sys (Realtek Semiconductor Corp.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (CtClsFlt) -- C:\WINDOWS\system32\drivers\CtClsFlt.sys (Creative Technology Ltd.)
DRV - (OA009Ufd) -- C:\WINDOWS\system32\drivers\OA009Ufd.sys (Creative Technology Ltd.)
DRV - (OA009Vid) -- C:\WINDOWS\system32\drivers\OA009Vid.sys (Creative Technology Ltd.)
DRV - (OA009Afx) -- C:\WINDOWS\system32\drivers\OA009Afx.sys (Creative Technology Ltd.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (APPDRV) -- C:\WINDOWS\system32\drivers\APPDRV.SYS (Dell Inc)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USCON/1
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\..\SearchScopes\{8458547F-A473-47B6-8A52-02C95BA4C3E4}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
========== FireFox ==========
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\moveplayer@movenetworks.com: C:\Documents and Settings\Dr. Gioe\Application Data\Move Networks [2010/01/31 20:36:32 | 000,000,000 | ---D | M]
[2011/05/05 19:20:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
O1 HOSTS File: ([2012/07/30 13:01:55 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [AESTFltr] C:\WINDOWS\System32\AESTFltr.exe (Andrea Electronics Corporation)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\.DEFAULT..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005..\Run: [DtxQuickLaunch.exe] C:\Program Files\Dentrix\DtxQuickLaunch.exe ( )
O4 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005..\Run: [PowerDVD DX] C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3055671925-3798977919-3203595821-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab (DLM Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249672030562 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{99D6E85F-BC24-4E22-8C7B-0FD7C318C9A7}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2007\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
========== Files/Folders - Created Within 30 Days ==========
[2012/07/30 13:01:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/07/30 12:38:36 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe
[2012/07/30 07:35:56 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Dr. Gioe\Desktop\aswMBR.exe
[2012/07/25 20:02:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2012/07/24 14:49:15 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\dds.scr
[2012/07/24 13:22:36 | 002,136,664 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr. Gioe\Desktop\TDSSKiller.exe
[2012/07/20 14:09:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/07/16 17:04:23 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/07/16 17:04:23 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/07/16 17:04:23 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/07/16 17:04:23 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/07/16 17:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/07/16 17:02:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller
[2012/07/16 17:01:56 | 004,582,475 | R--- | C] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\ComboFix.exe
========== Files - Modified Within 30 Days ==========
[2012/07/30 13:04:14 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/30 13:04:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/30 13:04:01 | 3181,756,416 | -HS- | M] () -- C:\hiberfil.sys
[2012/07/30 13:01:55 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/07/30 12:58:30 | 000,003,359 | ---- | M] () -- C:\WINDOWS\dentrix.ini
[2012/07/30 12:38:43 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dr. Gioe\Desktop\OTL.exe
[2012/07/30 12:30:42 | 000,033,038 | ---- | M] () -- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
[2012/07/30 11:48:43 | 002,136,664 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Dr. Gioe\Desktop\TDSSKiller.exe
[2012/07/30 11:47:37 | 002,117,108 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller.zip
[2012/07/30 11:42:31 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/07/30 11:15:09 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBRCheck.exe
[2012/07/30 07:42:54 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBR.dat
[2012/07/30 07:35:59 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Dr. Gioe\Desktop\aswMBR.exe
[2012/07/27 10:20:45 | 000,004,123 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\940-2q2012.pdf
[2012/07/25 20:02:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/07/24 17:19:47 | 000,004,095 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\Desktop\attach.zip
[2012/07/24 15:04:11 | 000,004,769 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\Attach.zip
[2012/07/24 14:49:28 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\dds.scr
[2012/07/23 15:37:07 | 000,572,654 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\dcc-2650.pdf
[2012/07/19 11:31:34 | 004,582,475 | R--- | M] (Swearware) -- C:\Documents and Settings\Dr. Gioe\Desktop\ComboFix.exe
[2012/07/18 08:45:21 | 000,000,537 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941nov2011.lnk
[2012/07/16 16:40:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/07/13 10:26:06 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/12 15:42:49 | 000,004,115 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941june2012.pdf
[2012/07/12 07:24:55 | 000,196,960 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/07/11 16:21:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/07/11 12:47:59 | 000,421,276 | ---- | M] () -- C:\Documents and Settings\Dr. Gioe\My Documents\867.pdf
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
========== Files Created - No Company Name ==========
[2012/07/30 12:30:42 | 000,033,038 | ---- | C] () -- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
[2012/07/30 11:47:35 | 002,117,108 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\tdsskiller.zip
[2012/07/30 11:14:37 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBRCheck.exe
[2012/07/30 07:43:46 | 3181,756,416 | -HS- | C] () -- C:\hiberfil.sys
[2012/07/30 07:42:54 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\MBR.dat
[2012/07/27 10:20:45 | 000,004,123 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\940-2q2012.pdf
[2012/07/24 17:19:47 | 000,004,095 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Desktop\attach.zip
[2012/07/23 15:37:07 | 000,572,654 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\dcc-2650.pdf
[2012/07/16 17:04:23 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/07/16 17:04:23 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/07/16 17:04:23 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/07/16 17:04:23 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/07/16 17:04:23 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/07/16 16:37:26 | 000,002,111 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/07/16 16:37:26 | 000,001,789 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2012/07/16 16:37:26 | 000,001,727 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2012/07/12 15:42:49 | 000,004,115 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\941june2012.pdf
[2012/07/11 12:47:59 | 000,421,276 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\My Documents\867.pdf
[2012/05/09 16:51:37 | 000,739,816 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/04/24 09:02:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DocCenter.INI
[2012/02/15 08:26:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/05/06 18:35:45 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\settings.dat
[2011/05/06 08:04:55 | 000,000,091 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/05/05 19:13:34 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/05 09:59:39 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Bkaduyokuyepe.dat
[2010/02/17 13:47:29 | 000,001,466 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Application Data\wklnhst.dat
[2009/09/10 15:38:10 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/07 08:32:05 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\fusioncache.dat
< End of report >
Are you still being redirected ?
RonG1966
2012-07-31, 00:56
Yes, I still get redirected and Microsoft Security Essentials found the same trojan (tadtruss?) that it has been finding for the last two weeks. This might not be related, but when closing windows run32dll.exe can't close.
This may be related to your Java, it looks like you have run Combofix before, go to C:\ComboFix.txt and copy and paste the log for me to see
RonG1966
2012-07-31, 03:40
ComboFix 12-07-19.02 - Dr. Gioe 07/19/2012 11:32:48.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2405 [GMT -5:00]
Running from: c:\documents and settings\Dr. Gioe\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-19 to 2012-07-19 )))))))))))))))))))))))))))))))
.
.
2012-07-19 16:24 . 2012-07-19 16:24 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\offreg.dll
2012-07-19 16:24 . 2012-07-19 16:24 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\MpKslf6929080.sys
2012-07-18 17:05 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\mpengine.dll
2012-07-18 12:35 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2011-05-06 00:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:29 . 2008-04-25 16:16 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-25 16:16 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-25 16:16 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2008-04-25 21:27 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2008-04-25 21:27 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2008-04-25 21:27 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2008-04-25 21:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2008-04-25 16:16 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2008-04-25 21:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2009-08-07 19:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2009-08-07 19:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2008-10-16 19:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:24 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.08.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-19 12:25 . 2012-07-19 12:25 16384 c:\windows\Temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DtxQuickLaunch.exe"="c:\program files\Dentrix\DtxQuickLaunch.exe" [2005-02-25 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-01 11:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
.
R1 MpKslf6929080;MpKslf6929080;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DB9C089A-A9E5-4035-9269-27D1FED6E7C9}\MpKslf6929080.sys [7/19/2012 11:24 AM 29904]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/1/2009 9:43 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/1/2009 7:03 AM 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [8/1/2009 9:43 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [8/1/2009 9:43 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [8/1/2009 9:43 AM 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/1/2009 9:43 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/1/2009 9:43 AM 1656960]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF6929080
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-07-19 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Apple Computer - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
HKU-Default-Run-Apple Computer - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-19 11:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(888)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-07-19 11:40:21
ComboFix-quarantined-files.txt 2012-07-19 16:40
ComboFix2.txt 2012-07-16 22:10
ComboFix3.txt 2011-05-15 15:55
.
Pre-Run: 288,327,761,920 bytes free
Post-Run: 288,567,136,256 bytes free
.
- - End Of File - - 96F3DADE6839E585E50E279FB93E24D3
Drag your copy of Combofix to the trash and lets grab a new fresh updated copy
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above ClearJavaCache::
ClearJavaCache::
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
RonG1966
2012-07-31, 04:16
ComboFix 12-07-30.01 - Dr. Gioe 07/30/2012 20:08:26.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3034.2515 [GMT -5:00]
Running from: c:\documents and settings\Dr. Gioe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dr. Gioe\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-30 21:51 . 2012-07-30 21:51 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\offreg.dll
2012-07-30 18:01 . 2012-07-30 18:01 -------- d-----w- C:\_OTL
2012-07-30 16:32 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CDFF5785-3BE7-45DC-9684-2B561B187DD9}\mpengine.dll
2012-07-26 19:29 . 2012-06-29 08:44 6891424 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-26 01:02 . 2012-07-26 01:02 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2012-07-20 18:56 . 2012-07-26 01:35 -------- d-----w- c:\documents and settings\Cheri
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-30 17:30 . 2012-07-30 17:30 33038 ----a-w- C:\TDSSKiller.2.7.48.0_30.07.2012_11.49.12_log.zip
2012-07-03 18:46 . 2011-05-06 00:10 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:29 . 2008-04-25 16:16 1875072 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-25 16:16 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-25 16:16 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 20:19 . 2008-10-16 19:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2008-04-25 21:27 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2008-04-25 21:27 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2008-04-25 21:27 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2008-10-16 19:09 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2008-10-16 19:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2008-04-25 21:27 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2008-04-25 16:16 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2008-10-16 19:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2008-04-25 21:27 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2008-04-25 21:27 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2009-08-07 19:52 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2009-08-07 19:52 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 20:18 . 2008-10-16 19:07 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2008-04-25 16:16 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:24 . 2008-04-25 16:16 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:41 . 2008-04-14 00:01 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-16_22.08.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-30 21:49 . 2012-07-30 21:49 16384 c:\windows\Temp\Perflib_Perfdata_294.dat
+ 2011-12-19 23:16 . 2006-04-10 20:02 74752 c:\windows\system32\spool\drivers\w32x86\3\hpzpr054.dll
+ 2011-12-19 23:16 . 2006-03-04 03:02 57344 c:\windows\system32\spool\drivers\w32x86\3\HPZISN12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:02 94208 c:\windows\system32\spool\drivers\w32x86\3\HPZIPT12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:03 69632 c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
+ 2011-12-19 23:16 . 2006-03-04 03:03 65536 c:\windows\system32\spool\drivers\w32x86\3\HPZINW12.EXE
+ 2011-12-19 23:16 . 2004-10-16 11:31 61440 c:\windows\system32\spool\drivers\w32x86\3\HPNRA.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 94208 c:\windows\system32\spool\drivers\w32x86\3\HPJIPX1U.DLL
+ 2011-12-19 23:16 . 2005-09-19 20:17 79872 c:\windows\system32\spool\drivers\w32x86\3\hpfrs054.dll
+ 2011-12-19 23:16 . 2005-06-20 20:33 57344 c:\windows\system32\spool\drivers\w32x86\3\HPBPROPS.DLL
+ 2011-12-19 23:16 . 2005-05-20 16:37 81920 c:\windows\system32\spool\drivers\w32x86\3\HPBPRO.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 57344 c:\windows\system32\spool\drivers\w32x86\3\HPBOIDPS.DLL
+ 2011-12-19 23:16 . 2004-10-16 11:31 73728 c:\windows\system32\spool\drivers\w32x86\3\HPBOID.EXE
+ 2011-12-19 23:16 . 2005-06-20 20:33 49152 c:\windows\system32\spool\drivers\w32x86\3\HPBNRAC2.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:33 81920 c:\windows\system32\spool\drivers\w32x86\3\HPBMIAPI.DLL
+ 2011-12-19 23:16 . 2006-04-10 19:44 563200 c:\windows\system32\spool\drivers\w32x86\3\hpzss054.dll
+ 2011-12-19 23:16 . 2006-03-04 03:02 204800 c:\windows\system32\spool\drivers\w32x86\3\HPZIPR12.DLL
+ 2011-12-19 23:16 . 2006-03-04 03:03 282680 c:\windows\system32\spool\drivers\w32x86\3\HPZIDR12.DLL
+ 2011-12-19 23:16 . 2006-04-10 20:02 309760 c:\windows\system32\spool\drivers\w32x86\3\hpzev054.dll
+ 2011-12-19 23:16 . 2006-04-10 20:02 248320 c:\windows\system32\spool\drivers\w32x86\3\hpz3a054.dll
+ 2011-12-19 23:16 . 2005-06-20 20:51 208969 c:\windows\system32\spool\drivers\w32x86\3\HPPASNM0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:51 225351 c:\windows\system32\spool\drivers\w32x86\3\HPPAPTS0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:51 213063 c:\windows\system32\spool\drivers\w32x86\3\HPPAPML0.DLL
+ 2011-12-19 23:16 . 2005-06-20 20:33 163840 c:\windows\system32\spool\drivers\w32x86\3\HPJCMN2U.DLL
+ 2011-12-19 23:16 . 2005-09-19 20:17 274944 c:\windows\system32\spool\drivers\w32x86\3\hpfie054.dll
+ 2011-12-19 23:16 . 2006-03-14 20:49 659528 c:\windows\system32\spool\drivers\w32x86\3\hpcdmc32.dll
+ 2011-12-19 23:16 . 2005-08-08 23:26 139264 c:\windows\system32\spool\drivers\w32x86\3\HPBMINI.DLL
+ 2011-12-19 23:16 . 2006-04-10 20:02 2572288 c:\windows\system32\spool\drivers\w32x86\3\hpzui054.dll
+ 2011-12-19 23:16 . 2006-04-10 19:19 3650048 c:\windows\system32\spool\drivers\w32x86\3\hpzst054.dll
+ 2011-12-19 23:16 . 2006-04-10 20:03 1360384 c:\windows\system32\spool\drivers\w32x86\3\hpz3r054.dll
+ 2011-12-19 23:16 . 2005-11-18 03:53 7134720 c:\windows\system32\spool\drivers\w32x86\3\hpfig054.dll
+ 2011-12-19 23:16 . 2006-01-24 14:22 1392640 c:\windows\system32\spool\drivers\w32x86\3\hpbcfgre.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DtxQuickLaunch.exe"="c:\program files\Dentrix\DtxQuickLaunch.exe" [2005-02-25 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-04-03 483420]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-08 150040]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-08 178712]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2009-01-09 1712128]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-31 217088]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-04-03 737280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-2-4 1155432]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-08-01 11:58 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Mail\\wlmail.exe"=
.
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/1/2009 9:43 AM 113024]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [8/1/2009 7:03 AM 144128]
R3 OA009Afx;Provides a software interface to control audio effects of OA009 camera.;c:\windows\system32\drivers\OA009Afx.sys [8/1/2009 9:43 AM 148056]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [8/1/2009 9:43 AM 144544]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [8/1/2009 9:43 AM 268992]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [8/1/2009 9:43 AM 160256]
S2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [8/1/2009 9:43 AM 1656960]
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-07-30 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 22:03]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-PowerDVD DX - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
HKU-Default-Run-PowerDVD DX - c:\documents and settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-30 20:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(892)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2012-07-30 20:14:36
ComboFix-quarantined-files.txt 2012-07-31 01:14
ComboFix2.txt 2012-07-19 16:40
ComboFix3.txt 2012-07-16 22:10
ComboFix4.txt 2011-05-15 15:55
.
Pre-Run: 288,232,828,928 bytes free
Post-Run: 288,259,944,448 bytes free
.
- - End Of File - - 104E4B1B820E6B59B1D8EE0C2DB1BE0D
RonG1966
2012-07-31, 16:05
I tried some searches and got no redirects so things look better. Thank you very much for your help!
RonG1966
2012-07-31, 18:47
Getting redirects again. This time they are not opening in a new window.
Where are you being redirected to ? Let me ask you about your set up, are you on a router, do you have other computers accessing this router and if so are they getting redirected also ?
Is it just IE being redirected or is it Firefox as well ?
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
RonG1966
2012-07-31, 20:23
Some of the redirects open another window with a list of sites related to the original search; alot of times it was Scour. Other times when I would click on a site on my search I would get redirected to another site with similar content. I have a combination router/dsl modem (Motorola) with two other desktop computers connected, but they have limited (content advisor enabled) internet access, and I checked on one of them to see if I got redirects and I did not. I don't use Firefox. Here is the esetscan.
C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Dell\Apple Computer\uqjqls.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\PowerDVD DX\Microsoft\tvzjqlnhf.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Secunia PSI\PowerDVD DX\linjr.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP1\A0000023.dll a variant of Win32/Kryptik.AIZP trojan
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP11\A0000843.dll a variant of Win32/Kryptik.AIZP trojan
OK, thanks for the info, I have seen routers in the past get infected but if its just your system then most likely the router is ok.
The files in Qoobox are just backups of what Combofix removed and there harmless where there at and we will remove them when where done.
The other files are in System Restore, lets flush them all out and create a new restore point.
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.
Please follow the steps below to create a clean restore point:
Click Start > Run > copy and paste the following into the run box:
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.
Then remove all previous Restore Points
Click Start > Run > copy and paste the following into the run box:
cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.
Lets run another rootkit scanner, with all the scans we have run we seem to being hitting a wall
Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.
Double click DeFogger to run the tool.
The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.
Next:
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
RonG1966
2012-07-31, 21:01
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-07-31 13:00:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\DOCUME~1\DRF276~1.GIO\LOCALS~1\Temp\pwdyapog.sys
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Ron,
That does not look like the entire GMER log, did you click on the picture to expand it and check all the boxes that are marked, if not please try it again. Also, did you use defogger to disable your CD drivers, let me know and I will post back on how to re enable them
Then do this, you just need to run the 32bit version
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
64 Bit Version (http://jpshortstuff.247Fixes.com/SystemLook_x64.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
Scour
:folderfind
Scour
:Regfind
Scour
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Also, open Internet Explorer and go to Tools > Manage Add-Ons > Search Providers and if you see Scour in there or any you dont recognize just right click on it and delete them
RonG1966
2012-07-31, 23:46
I ran defogger and gmer again. Gmer scanned the files, and then it stopped; it did not say that it had finished--I saved the file when it stopped scanning.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-31 15:39:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\DOCUME~1\DRF276~1.GIO\LOCALS~1\Temp\pwdyapog.sys
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\Drivers\OA009Afx.sys entry point in "init" section [0xA5657310]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\SearchIndexer.exe[2092] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
RonG1966
2012-07-31, 23:53
Only Bing and Google search providers are listed.
SystemLook 30.07.11 by jpshortstuff
Log created at 15:52 on 31/07/2012 by Dr. Gioe
Administrator - Elevation successful
========== filefind ==========
Searching for "Scour"
No files found.
========== folderfind ==========
Searching for "Scour"
No folders found.
========== Regfind ==========
Searching for "Scour"
No data found.
-= EOF =-
Open IE and go to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset.....this may take a minute or two, when its done , X out and close IE, reopen it and see if your redirects are gone
RonG1966
2012-08-01, 01:34
Still redirecting and Microsoft SE found the trojan again after I used search.
Open Malwarebytes, go to the update tab and check for updates and let it update, then run the FULL Scan and then post the log please
Click the Start button , click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).
RonG1966
2012-08-01, 02:12
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.07.31.13
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Dr. Gioe :: D991PWJ1 [administrator]
7/31/2012 5:39:59 PM
mbam-log-2012-07-31 (17-39-59).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 276625
Time elapsed: 29 minute(s), 26 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Apple Computer\Apple\rppqrdfg.dll (Trojan.RedirRdll3.Gen) -> Delete on reboot.
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Apple (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Apple Computer\Apple\rppqrdfg.dll",CreateInstance -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Apple (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Apple Computer\Apple\rppqrdfg.dll",CreateInstance -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Documents and Settings\Dr. Gioe\Local Settings\temp\0.9077037817744482 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr. Gioe\Local Settings\Application Data\Apple Computer\Apple\rppqrdfg.dll (Trojan.RedirRdll3.Gen) -> Delete on reboot.
(end)
Malwarebytes appears to be picking things up related to Apple, have you rebooted after the scan so they can be removed ? Some of those are related also to redirects, are you still being redirected ?
If so lets run SuperAntiSpyware
Please download SuperAntiSpyware Free (http://www.superantispyware.com/superantispyware.html)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your next reply
RonG1966
2012-08-01, 04:11
I didn't get any redirects after Malwarebytes removed the threats, but I ran Superantispyware anyway. Should I restore the cd drivers disabled by defogger now?
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 07/31/2012 at 08:00 PM
Application Version : 5.5.1012
Core Rules Database Version : 8989
Trace Rules Database Version: 6801
Scan type : Complete Scan
Total Scan Time : 00:27:51
Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator
Memory items scanned : 542
Memory threats detected : 0
Registry items scanned : 34933
Registry threats detected : 0
File items scanned : 43093
File threats detected : 75
Adware.Tracking Cookie
C:\Documents and Settings\Dr. Gioe\Cookies\A1CZ450O.txt [ /zedo.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\HYBU3SXO.txt [ /ads.pointroll.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\GGNH9NR0.txt [ /bridge.ame.admarketplace.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\24XS15IA.txt [ /microsoftwlcashback.112.2o7.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\HP13124I.txt [ /ad.yieldmanager.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\VE9UI3D6.txt [ /nextag.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\AP8MJF0F.txt [ /interclick.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\0KN8RRDF.txt [ /apmebf.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\MRQUYRB0.txt [ /media6degrees.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\NJEQAQT8.txt [ /eset.122.2o7.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\5U430IOW.txt [ /adxpose.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\VNAFFL6Q.txt [ /insightexpressai.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\ZUM1G3O3.txt [ /timeinc.122.2o7.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\SXBI2CY9.txt [ /a1.interclick.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\TDBRSNW6.txt [ /accounts.google.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\DDU9WHRJ.txt [ /kontera.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\FQE15BNX.txt [ /tribalfusion.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\NQRATWM1.txt [ /t.pointroll.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\K7NNL86I.txt [ /ads.us.e-planning.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\AVJ6QJTA.txt [ /legolas-media.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\IBR1OOZV.txt [ /liveperson.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\FN1YABO3.txt [ /lucidmedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\LBOEB4QM.txt [ /adfarm1.adition.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\FXMLTQL5.txt [ /ad.360yield.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\9RJARK7G.txt [ /revsci.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\BZS2GB33.txt [ /casalemedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\HPOKSMRG.txt [ /ads.pubmatic.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\UG2ROXUN.txt [ /msnbc.112.2o7.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\XI76B99K.txt [ /in.getclicky.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\9F54088K.txt [ /imrworldwide.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\RU3ATMMP.txt [ /amazon-adsystem.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\WZ31XQX7.txt [ /cn.clickable.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\YRHGG980.txt [ /adknowledge.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\110B52AZ.txt [ /c.atdmt.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\ZTQR388A.txt [ /advertising.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\G7MJMJJ4.txt [ /ru4.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\NINNK8M0.txt [ /ad.wsod.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\74MRLA0X.txt [ /collective-media.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\KAZCCANU.txt [ /media2.legacy.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\AYD7RHIV.txt [ /sales.liveperson.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\E71IK95Q.txt [ /specificclick.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\THFACHWI.txt [ /admarketplace.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\SOQOCAW6.txt [ /kanoodle.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\Z7FPA2O4.txt [ /bs.serving-sys.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\FJIYDNJA.txt [ /atdmt.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\XTUF0TGY.txt [ /pointroll.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\VK0LFRQB.txt [ /ads.towniecentral.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\BY3VN987.txt [ /invitemedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\0VLRYYSE.txt [ /ads.undertone.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\Y7L8XWIB.txt [ /2o7.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\MHMN6LOW.txt [ /network.realmedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\EM6DTKAT.txt [ /fastclick.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\2PP23AUQ.txt [ /www.burstnet.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\3788KZJH.txt [ /ad2.adfarm1.adition.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\HIRHUXEP.txt [ /ads.imaging-resource.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\WLZ1IP56.txt [ /doubleclick.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\8FFKPY18.txt [ /questionmarket.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\A273QWBQ.txt [ /mediaplex.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\AVFHXCKC.txt [ /yieldmanager.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\RDNBYF7M.txt [ /atdmt.combing.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\SPPJHQIT.txt [ /burstnet.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\RHKN86A1.txt [ /at.atwola.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\1LYG4BLW.txt [ /adserver.adtechus.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\191J82L2.txt [ /statse.webtrendslive.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\MUAVY39U.txt [ /serving-sys.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\T3JS78AX.txt [ /pro-market.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\CN9YO50P.txt [ /realmedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\L4Q9O1AM.txt [ /adbrite.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\IGNYQIC2.txt [ /www.blogpiremedia.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\DKKDV5C3.txt [ /clickfuse.com ]
C:\Documents and Settings\Dr. Gioe\Cookies\VQ0RML6B.txt [ /liveperson.net ]
C:\Documents and Settings\Dr. Gioe\Cookies\D08755F6.txt [ /dmtracker.com ]
C:\DOCUMENTS AND SETTINGS\CHERI\Cookies\X7M4AOTE.txt [ Cookie:cheri@atdmt.com/ ]
C:\DOCUMENTS AND SETTINGS\CHERI\Cookies\OECDSQ9N.txt [ Cookie:cheri@revsci.net/ ]
C:\DOCUMENTS AND SETTINGS\CHERI\Cookies\LYVYL2AJ.txt [ Cookie:cheri@c.atdmt.com/ ]
Good Morning,
Glad we got rid of that redirect nusense , like I said previously, not always but sometimes redirects are caused by Rootkits and we ran many programs trying to determine if it was one or not, thankfully it was not and you seem to be ok now. What I am going to do is to leave this thread open for you for a few days in case you have any problems so please post back if you do.
Yes, please re enable your CD drivers
To re-enable your Emulation drivers, double click DeFogger to run the tool.
The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
Your Emulation drivers are now re-enabled.
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.
Malwarebytes is the free version and yours to keep and will not be removed
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
RonG1966
2012-08-01, 15:51
Thanks! Great job!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.