Google Re-direct Infection

ken545 · Apr 6, 2010

Its possible there is a rootkit running in the background.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

elnino550 · Apr 7, 2010

Here you are Ken,

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-07 06:19:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MATT1~1\LOCALS~1\Temp\pxtdypow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 832A6CA1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\dropshadow_members.csv 1268 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\alpha_members.csv 1893 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\alpha_members.htm 4457 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies 0 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\play_at.csv 364 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\addAmbient_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\addCone_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\addPoint_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\add_at.csv 336 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Alpha_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\apply_at.csv 364 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\blendTrans_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Blur_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\changeColor_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\changeStrength_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Chroma_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\clear_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\color_at.csv 682 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\direction_at.csv 340 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\DropShadow_at.csv 1403 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\duration_at.csv 364 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\elementImage_at.csv 238 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\enabled_at.csv 2023 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\finishOpacity_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\finishX_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\finishY_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\FlipH_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\FlipV_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\freq_at.csv 228 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\glow_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Gray_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Invert_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\lightStrength_at.csv 228 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Light_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Mask_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\moveLight_at.csv 232 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\offX_at.csv 241 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\offy_at.csv 241 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\opacity_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\phase_at.csv 228 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\positive_at.csv 241 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Redirect_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\revealTrans_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Shadow_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\startX_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\startY_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\status_at.csv 364 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\stop_at.csv 364 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\strength_at.csv 444 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\style_at.csv 230 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\transition_at.csv 244 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\Wave_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\applies\XRay_at.csv 2987 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\blendtrans_members.csv 1154 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\blendtrans_members.htm 4340 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\blur_members.csv 1086 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\blur_members.htm 4064 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\chroma_members.csv 533 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\chroma_members.htm 3922 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\dropshadow_members.htm 4328 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\fliph_members.csv 319 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\fliph_members.htm 3826 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\flipv_members.csv 319 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\flipv_members.htm 3824 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\glow_members.csv 738 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\glow_members.htm 4017 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\gray_members.csv 319 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\gray_members.htm 3844 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\invert_members.csv 319 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\invert_members.htm 3821 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\light_members.csv 1636 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\light_members.htm 4579 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\mask_members.csv 533 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\mask_members.htm 3975 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\redirect_members.csv 732 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\redirect_members.htm 4063 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\revealtrans_members.csv 1360 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\revealtrans_members.htm 4563 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\shadow_members.csv 840 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\shadow_members.htm 4103 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\wave_members.csv 1451 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\wave_members.htm 4300 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\xray_members.csv 319 bytes
File C:\Documents and Settings\All Users\Application Data\PC Tools\PC Tools AntiVirus\Temp\HTMLREF.CHM_1033522\workshop\author\filter\reference\data\xray_members.htm 3891 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

things are seemingly weirder on my system lately...

ken545 · Apr 7, 2010

Hi,

It looks like your hard disk controller is infected, this is caused by the TDSS Rootkit.

This is what you need to do.

Download TDSSKiller and save it to your Desktop.

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

Please post the content of that log TDSSKiller

elnino550 · Apr 8, 2010

Here you go,

17:43:20:573 3988 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
17:43:20:573 3988 ================================================================================
17:43:20:573 3988 SystemInfo:

17:43:20:573 3988 OS Version: 5.1.2600 ServicePack: 3.0
17:43:20:573 3988 Product type: Workstation
17:43:20:573 3988 ComputerName: MATT
17:43:20:573 3988 UserName: Matt 1
17:43:20:573 3988 Windows directory: C:\WINDOWS
17:43:20:573 3988 Processor architecture: Intel x86
17:43:20:573 3988 Number of processors: 1
17:43:20:573 3988 Page size: 0x1000
17:43:20:573 3988 Boot type: Normal boot
17:43:20:573 3988 ================================================================================
17:43:20:613 3988 UnloadDriverW: NtUnloadDriver error 2
17:43:20:613 3988 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:43:21:254 3988 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:43:21:254 3988 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:43:21:254 3988 wfopen_ex: Trying to KLMD file open
17:43:21:254 3988 wfopen_ex: File opened ok (Flags 2)
17:43:21:254 3988 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:43:21:254 3988 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:43:21:254 3988 wfopen_ex: Trying to KLMD file open
17:43:21:254 3988 wfopen_ex: File opened ok (Flags 2)
17:43:21:254 3988 Initialize success
17:43:21:254 3988
17:43:21:254 3988 Scanning Services ...
17:43:21:814 3988 Raw services enum returned 358 services
17:43:21:824 3988
17:43:21:824 3988 Scanning Kernel memory ...
17:43:21:824 3988 Devices to scan: 2
17:43:21:824 3988
17:43:21:824 3988 Driver Name: Disk
17:43:21:824 3988 IRP_MJ_CREATE : F87DBBB0
17:43:21:824 3988 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
17:43:21:824 3988 IRP_MJ_CLOSE : F87DBBB0
17:43:21:824 3988 IRP_MJ_READ : F87D5D1F
17:43:21:824 3988 IRP_MJ_WRITE : F87D5D1F
17:43:21:824 3988 IRP_MJ_QUERY_INFORMATION : 804FA87E
17:43:21:824 3988 IRP_MJ_SET_INFORMATION : 804FA87E
17:43:21:824 3988 IRP_MJ_QUERY_EA : 804FA87E
17:43:21:824 3988 IRP_MJ_SET_EA : 804FA87E
17:43:21:824 3988 IRP_MJ_FLUSH_BUFFERS : F87D62E2
17:43:21:824 3988 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
17:43:21:824 3988 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
17:43:21:824 3988 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
17:43:21:824 3988 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
17:43:21:824 3988 IRP_MJ_DEVICE_CONTROL : F87D63BB
17:43:21:824 3988 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87D9F28
17:43:21:824 3988 IRP_MJ_SHUTDOWN : F87D62E2
17:43:21:824 3988 IRP_MJ_LOCK_CONTROL : 804FA87E
17:43:21:824 3988 IRP_MJ_CLEANUP : 804FA87E
17:43:21:824 3988 IRP_MJ_CREATE_MAILSLOT : 804FA87E
17:43:21:824 3988 IRP_MJ_QUERY_SECURITY : 804FA87E
17:43:21:824 3988 IRP_MJ_SET_SECURITY : 804FA87E
17:43:21:824 3988 IRP_MJ_POWER : F87D7C82
17:43:21:824 3988 IRP_MJ_SYSTEM_CONTROL : F87DC99E
17:43:21:824 3988 IRP_MJ_DEVICE_CHANGE : 804FA87E
17:43:21:824 3988 IRP_MJ_QUERY_QUOTA : 804FA87E
17:43:21:824 3988 IRP_MJ_SET_QUOTA : 804FA87E
17:43:21:965 3988 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
17:43:21:965 3988
17:43:21:965 3988 Driver Name: atapi
17:43:21:965 3988 IRP_MJ_CREATE : 832A6CA1
17:43:21:965 3988 IRP_MJ_CREATE_NAMED_PIPE : 832A6CA1
17:43:21:965 3988 IRP_MJ_CLOSE : 832A6CA1
17:43:21:965 3988 IRP_MJ_READ : 832A6CA1
17:43:21:965 3988 IRP_MJ_WRITE : 832A6CA1
17:43:21:965 3988 IRP_MJ_QUERY_INFORMATION : 832A6CA1
17:43:21:965 3988 IRP_MJ_SET_INFORMATION : 832A6CA1
17:43:21:965 3988 IRP_MJ_QUERY_EA : 832A6CA1
17:43:21:965 3988 IRP_MJ_SET_EA : 832A6CA1
17:43:21:965 3988 IRP_MJ_FLUSH_BUFFERS : 832A6CA1
17:43:21:965 3988 IRP_MJ_QUERY_VOLUME_INFORMATION : 832A6CA1
17:43:21:965 3988 IRP_MJ_SET_VOLUME_INFORMATION : 832A6CA1
17:43:21:965 3988 IRP_MJ_DIRECTORY_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_FILE_SYSTEM_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_DEVICE_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_INTERNAL_DEVICE_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_SHUTDOWN : 832A6CA1
17:43:21:965 3988 IRP_MJ_LOCK_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_CLEANUP : 832A6CA1
17:43:21:965 3988 IRP_MJ_CREATE_MAILSLOT : 832A6CA1
17:43:21:965 3988 IRP_MJ_QUERY_SECURITY : 832A6CA1
17:43:21:965 3988 IRP_MJ_SET_SECURITY : 832A6CA1
17:43:21:965 3988 IRP_MJ_POWER : 832A6CA1
17:43:21:965 3988 IRP_MJ_SYSTEM_CONTROL : 832A6CA1
17:43:21:965 3988 IRP_MJ_DEVICE_CHANGE : 832A6CA1
17:43:21:965 3988 IRP_MJ_QUERY_QUOTA : 832A6CA1
17:43:21:965 3988 IRP_MJ_SET_QUOTA : 832A6CA1
17:43:21:965 3988 Driver "atapi" infected by TDSS rootkit!
17:43:21:965 3988 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
17:43:21:965 3988 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 17:43:21:965 3988 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:43:21:965 3988 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:43:22:425 3988 vfvi6
17:43:22:666 3988 !dsvbh1
17:43:26:842 3988 dsvbh2
17:43:27:012 3988 fdfb2
17:43:27:012 3988 Backup copy found, using it..
17:43:27:332 3988 will be cured on next reboot
17:43:27:332 3988 Reboot required for cure complete..
17:43:27:372 3988 Cure on reboot scheduled successfully
17:43:27:372 3988
17:43:27:372 3988 Completed
17:43:27:372 3988
17:43:27:372 3988 Results:
17:43:27:372 3988 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
17:43:27:372 3988 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:43:27:372 3988 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:43:27:372 3988
17:43:27:372 3988 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:43:27:372 3988 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:43:27:372 3988 UnloadDriverW: NtUnloadDriver error 1
17:43:27:372 3988 KLMD(ARK) unloaded successfully

ken545 · Apr 8, 2010

Yep, it was infected but has been fixed.

Lets check for left over entries if there are any

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

elnino550 · Apr 8, 2010

Alright Ken, looking better

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2010-04-08 06:40:08 AM
mbam-log-2010-04-08 (06-40-08).txt

Scan type: Quick scan
Objects scanned: 125484
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 7045 bytes

elnino550 · Apr 8, 2010

Oops, this is the complete HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:48:20 AM, on 2010-04-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\TEMP\vdmpyel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 7045 bytes

ken545 · Apr 8, 2010

Hi,

Boot to Safemode

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

C:\WINDOWS\TEMP<-- Delete everything in the Temp Folder but not the temp folder itself.

Boot back to normal windows and post a new HJT log please and let me know how things are running now ?

elnino550 · Apr 9, 2010

Things are running smoothly Ken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:59:40 PM, on 2010-04-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 7001 bytes

If you have the time, what did we delete in the Temp folder? Also, can you recommend a good way to free up disk space/memory besides the system tools option?

ken545 · Apr 9, 2010

Hi,

There was a unquestionable file in the temp folder, legit programs do not run out of a temp folder, but its back.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\TEMP\vdmpyel.exe

If the site is busy you can try this one

http://virusscan.jotti.org/en

elnino550 · Apr 9, 2010

Ken,

My system is already configured to display hidden files and folders and was the last time you requested it as well.

The file you asked me to submit for analysis "was not found" and apparently does not exist.

Also, the temp files we deleted in safe-mode appear to be present in normal mode (as I saw when looking for the file you requested to submit to virus total.)

Agh! Im sure we have shared frustration....

ken545 · Apr 9, 2010

The reason for removing files in Safemode is that most times trying to remove them in normal windows will fail.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKUS\S-1-5-18\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe (User 'Default user')

Reboot and let me know how things are running now ?

elnino550 · Apr 13, 2010

Late response again, sorry Ken

My machine is running smoothly after I fixed the checked items you requested and no more Google re-directs.

Thank you for your time as always - anything else?

ken545 · Apr 13, 2010

Great,

How about running RSIT and posting new logs and lets make sure its all gone

elnino550 · Apr 15, 2010

Here ya are,

Logfile of random's system information tool 1.06 (written by random/random)
Run by Matt 1 at 2010-04-15 06:27:56
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 17 GB (29%) free of 57 GB
Total RAM: 511 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:28:31 AM, on 2010-04-15
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\rnamfler\naofsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM7\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt 1\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Matt 1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [wrna3ls] C:\Program Files\rnamfler\naomf.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [StartAutomator] C:\WINDOWS\TEMP\vdmpyel.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_18.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPY-BO~1\SDHelper.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Unknown owner - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RdnaoFlSvc - Unknown owner - C:\Program Files\rnamfler\naofsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe

--
End of file - 6910 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPY-BO~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2010-03-16 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0cda128-b425-4eef-a174-61a11ac5dbf8}]
AIM Toolbar Loader - C:\Program Files\AIM Toolbar\aimtb.dll [2009-08-28 1303912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-16 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-03-16 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{61539ecd-cc67-4437-a03c-9aaccbd14326} - AIM Toolbar - C:\Program Files\AIM Toolbar\aimtb.dll [2009-08-28 1303912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"00THotkey"=C:\WINDOWS\System32\00THotkey.exe [2003-04-15 258048]
"000StTHK"=C:\WINDOWS\system32\000StTHK.exe [2001-06-23 24576]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-09-24 4861952]
"nwiz"=nwiz.exe /installquiet []
"SigmaTel StacMon"=C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe [2003-08-03 86073]
"LtMoh"=C:\Program Files\ltmoh\Ltmoh.exe [2003-01-02 172032]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2003-04-18 88363]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-05-30 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-05-30 614400]
"TouchED"=C:\Program Files\TOSHIBA\TouchED\TouchED.Exe [2003-01-21 126976]
"TFNF5"=C:\WINDOWS\system32\TFNF5.exe [2003-07-18 73728]
"TFncKy"=TFncKy.exe []
"TPSMain"=C:\WINDOWS\system32\TPSMain.exe [2003-09-25 278528]
"Pinger"=C:\TOSHIBA\IVP\ISM\pinger.exe [2005-03-17 151552]
"PRONoMgr.exe"=c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe [2003-12-10 86016]
"HPDJ Taskbar Utility"=C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe [2003-09-01 176128]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2003-10-23 233472]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-04-09 185784]
"wrna3ls"=C:\Program Files\rnamfler\naomf.exe [2006-04-01 1253448]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe []
"StartAutomator"=C:\WINDOWS\TEMP\vdmpyel.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Sebring]
c:\WINDOWS\System32\LgNotify.dll [2003-12-16 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\TOSHIBA\Ivp\NetInt\netint.exe"="C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\TOSHIBA\Ivp\ISM\pinger.exe"="C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\America Online 9.0a\waol.exe"="C:\Program Files\America Online 9.0a\waol.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Java\jre1.5.0_10\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_10\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_11\bin\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Ubi Soft\Chessmaster 9000\Chessmaster.exe"="C:\Program Files\Ubi Soft\Chessmaster 9000\Chessmaster.exe:*:Enabled:Chessmaster 9000"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\1171828283\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1171828283\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\AIM7\aim.exe"="C:\Program Files\AIM7\aim.exe:*:Enabled:AIM"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Documents and Settings\Matt 1\Desktop\utorrent.exe"="C:\Documents and Settings\Matt 1\Desktop\utorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\America Online 9.0a\waol.exe"="C:\Program Files\America Online 9.0a\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled

xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-04-08 06:29:27 ----AC---- C:\mbam-error.txt
2010-04-07 17:43:20 ----AC---- C:\TDSSKiller.2.2.8.1_07.04.2010_17.43.20_log.txt
2010-04-01 08:42:21 ----A---- C:\WINDOWS\system32\spwindrfc1.exe
2010-04-01 08:42:17 ----A---- C:\WINDOWS\system32\pscdrvn.exe
2010-03-23 22:28:00 ----DC---- C:\rsit
2010-03-23 07:17:39 ----SDC---- C:\Combo-Fix
2010-03-16 20:44:35 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-03-16 20:43:42 ----A---- C:\WINDOWS\system32\javaws.exe
2010-03-16 20:43:42 ----A---- C:\WINDOWS\system32\javaw.exe
2010-03-16 20:43:42 ----A---- C:\WINDOWS\system32\java.exe

======List of files/folders modified in the last 1 months======

2010-04-15 06:27:28 ----D---- C:\WINDOWS\Prefetch
2010-04-14 20:01:08 ----D---- C:\WINDOWS\system32\CatRoot2
2010-04-09 06:18:58 ----D---- C:\WINDOWS\temp
2010-04-09 06:17:27 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-04-08 16:53:05 ----AC---- C:\WINDOWS\ntbtlog.txt
2010-04-08 06:43:00 ----HDC---- C:\WINDOWS\$NtUninstallKB929123$
2010-04-08 06:42:59 ----D---- C:\WINDOWS\system32\drivers
2010-04-08 06:29:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-04 05:44:02 ----D---- C:\Program Files\Mozilla Firefox
2010-04-01 08:42:21 ----AD---- C:\WINDOWS\system32
2010-03-30 17:27:54 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2010-03-30 17:27:54 ----AD---- C:\Program Files
2010-03-27 19:31:53 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-26 12:47:55 ----HDC---- C:\WINDOWS\$NtUninstallKB828741$
2010-03-23 21:48:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-23 07:26:28 ----AD---- C:\WINDOWS
2010-03-23 07:19:31 ----RHD---- C:\Program Files\rnamfler
2010-03-23 07:19:30 ----DC---- C:\Qoobox
2010-03-16 21:05:12 ----DC---- C:\Config.Msi
2010-03-16 21:04:31 ----SHD---- C:\WINDOWS\Installer
2010-03-16 21:02:20 ----D---- C:\Program Files\Java
2010-03-16 20:45:05 ----D---- C:\Program Files\Common Files\Java
2010-03-16 20:43:03 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-03-16 20:13:39 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-11-26 4224]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2008-06-09 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 meiudf;meiudf; C:\WINDOWS\System32\Drivers\meiudf.sys [2003-10-24 90416]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-13 88192]
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2005-10-19 8413]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.2.1.0; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2004-06-08 14037]
R2 Netdevio;TOSHIBA Network Device Usermode I/O Protocol; C:\WINDOWS\System32\DRIVERS\netdevio.sys [2003-01-29 12032]
R2 s24trans;WLAN Transport; C:\WINDOWS\System32\DRIVERS\s24trans.sys [2003-09-15 11258]
R2 TBiosDrv;TBiosDrv; \??\C:\WINDOWS\System32\drivers\TBiosDrv.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2002-09-25 140800]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-07-14 14448]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-09-24 1370764]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-10-01 9856]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\System32\DRIVERS\smcirda.sys [2001-09-11 38425]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2003-07-17 230416]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-05-30 271728]
R3 tsdhd;TOSHIBA SD Card Host Controller Driver; C:\WINDOWS\System32\DRIVERS\tsdhd.sys [2003-05-14 25888]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w22n51;Intel(R) PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\System32\DRIVERS\w22n51.sys [2004-01-02 1646720]
S1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-11-26 821856]
S1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-11-26 27776]
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 AgereSoftModem;TOSHIBA V92 Software Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2002-12-20 1164576]
S3 AR5211;Atheros AR5001 Wireless Network Adapter Service; C:\WINDOWS\System32\DRIVERS\ar5211.sys [2003-08-28 323296]
S3 catchme;catchme; \??\C:\DOCUME~1\MATT1~1\LOCALS~1\Temp\catchme.sys []
S3 ewdmaudn;ewdmaudn; \??\C:\DOCUME~1\MATT1~1\LOCALS~1\Temp\ewdmaudn.sys []
S3 gv3;Intel GV3 Processor Driver; C:\WINDOWS\System32\DRIVERS\gv3.sys [2002-11-18 30976]
S3 MAUSBFT;Service for M-Audio Fast Track USB (WDM); C:\WINDOWS\system32\DRIVERS\mausbft.sys [2007-11-13 132096]
S3 msloop;Microsoft Loopback Adapter Driver; C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 4992]
S3 pciSd;pciSd; C:\WINDOWS\System32\DRIVERS\tossdpci.sys [2003-02-12 15143]
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 tbhsd;Tunebite High-Speed Dubbing; C:\WINDOWS\system32\drivers\tbhsd.sys [2006-04-19 14464]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver; C:\WINDOWS\System32\DRIVERS\w70n51.sys [2003-03-27 2379776]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-11-26 49664]
R2 CFSvcs;ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [2003-12-02 28672]
R2 DVD-RAM_Service;DVD-RAM_Service; C:\WINDOWS\System32\DVDRAMSV.exe [2003-05-23 106496]
R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-03-16 153376]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-09-24 77824]
R2 RdnaoFlSvc;RdnaoFlSvc; C:\Program Files\rnamfler\naofsvc.exe [2006-04-01 55296]
R2 RegSrvc;RegSrvc; C:\WINDOWS\System32\RegSrvc.exe [2003-12-16 122880]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\WINDOWS\System32\S24EvMon.exe [2003-12-16 311363]
R2 Swupdtmr;Swupdtmr; c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe [2004-05-13 53248]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-11-26 418816]
S2 FastTrackInstallerService;M-Audio Fast Track Installer; C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe []
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

ken545 · Apr 15, 2010

Lets just fix this

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::

Code:

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"StartAutomator"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Google Re-direct Infection

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert

elnino550

New member

ken545

Emeritus-Security Expert