Help removing virtumonde

Status
Not open for further replies.
Hi oxpride85.

Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.



Logs/Information to Post in your Next Reply

  • Gmer.txt log.
  • Please give me an update on your computers performance.
 
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 18:57:54
Windows 5.1.2600 Service Pack 3
Running: 5tqmsmrl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtdypob.sys


---- System - GMER 1.0.15 ----

SSDT spmu.sys ZwCreateKey [0xF74120E0]
SSDT spmu.sys ZwEnumerateKey [0xF7430CA2]
SSDT spmu.sys ZwEnumerateValueKey [0xF7431030]
SSDT spmu.sys ZwOpenKey [0xF74120C0]
SSDT spmu.sys ZwQueryKey [0xF7431108]
SSDT spmu.sys ZwQueryValueKey [0xF7430F88]
SSDT spmu.sys ZwSetValueKey [0xF743119A]

INT 0x62 ? 871D6BF8
INT 0x63 ? 8716AF00
INT 0x82 ? 871D6BF8
INT 0xA4 ? 86F6ABF8
INT 0xA4 ? 86F6ABF8
INT 0xA4 ? 86F6ABF8
INT 0xA4 ? 86F6ABF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 871571F8
Device \FileSystem\Fastfat \FatCdrom 86B0F500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{D6309E1C-707A-4E17-8702-AB9170A19514} 86A9B500

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 86F69500
Device \Driver\usbohci \Device\USBPDO-1 86F69500
Device \Driver\usbehci \Device\USBPDO-2 86F261F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{380185D3-DC78-4C24-873E-054F0E711349} 86A9B500
Device \Driver\Ftdisk \Device\HarddiskVolume1 871D71F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 871D71F8
Device \Driver\Cdrom \Device\CdRom0 86FBE1F8
Device \Driver\Cdrom \Device\CdRom1 86FBE1F8
Device \Driver\atapi \Device\Ide\IdePort0 [F736EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F736EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F736EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom2 86FBE1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86A9B500
Device \Driver\NetBT \Device\NetbiosSmb 86A9B500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP4298 \Device\0000006b spmu.sys
Device \Driver\usbohci \Device\USBFDO-0 86F69500
Device \Driver\usbohci \Device\USBFDO-1 86F69500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86A9A500
Device \Driver\usbehci \Device\USBFDO-2 86F261F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86A9A500
Device \Driver\Ftdisk \Device\FtControl 871D71F8
Device \Driver\sptd \Device\3925741798 spmu.sys
Device \Driver\aqf6dpqh \Device\Scsi\aqf6dpqh1Port2Path0Target0Lun0 86F6C500
Device \Driver\aqf6dpqh \Device\Scsi\aqf6dpqh1Port2Path0Target1Lun0 86F6C500
Device \Driver\aqf6dpqh \Device\Scsi\aqf6dpqh1 86F6C500
Device \FileSystem\Fastfat \Fat 86B0F500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 86A2C500
Device -> \Driver\atapi \Device\Harddisk0\DR0 86AA5AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Computer is running smoothly, but Im still getting redirected like mentioned in previous posts:sad:
 
Hi oxpride85.
We need to use ComboFix.
Please continue with the instructions below then let me know if you're searches are still redirected


Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.

Next.

  • Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.

Next.

Download and Run ComboFix
  • Please download ComboFix from one of the following links.

    Link 1.

    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC_successful.gif


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper





Logs/Information to Post in your Next Reply

  • ComboFix.txt log.
  • Please give me an update on your computers performance.
 
Ran Combofix...still getting redirected....ARG!!:mad: Anyways, thank you for bearing with me and my computer, seems like its being pretty stubborn!

Heres the log
ComboFix 10-04-15.02 - Owner 04/16/2010 3:59.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.597 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2675569189-239620596-998515361-1003
c:\windows\system32\reboot.txt
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-16 11:07 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-04-16 11:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-04-15 05:09 . 2010-04-15 05:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-14 21:24 . 2010-04-14 21:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-14 21:23 . 2010-04-14 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-14 21:21 . 2010-04-14 21:21 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 21:21 . 2010-04-14 21:21 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dd0def2-n\decora-d3d.dll
2010-04-14 21:21 . 2010-04-14 21:21 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dd0def2-n\decora-sse.dll
2010-04-14 21:21 . 2010-04-14 21:21 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\msvcp71.dll
2010-04-14 21:21 . 2010-04-14 21:21 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\jmc.dll
2010-04-14 21:21 . 2010-04-14 21:21 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\msvcr71.dll
2010-04-14 21:20 . 2010-04-14 21:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 11:15 . 2010-04-14 11:15 -------- d-----w- C:\_OTM
2010-04-14 00:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 00:31 . 2010-04-14 00:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-13 23:17 . 2010-04-15 11:32 -------- d-----w- c:\program files\trend micro
2010-04-13 23:16 . 2010-04-13 23:21 -------- d-----w- C:\rsit
2010-04-13 23:07 . 2010-04-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-13 13:57 . 2010-04-14 11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 08:48 . 2008-04-14 01:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-04-12 08:48 . 2008-04-14 01:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-04-12 08:42 . 2010-04-12 08:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-11 11:14 . 2010-04-11 11:14 460640 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-11 11:14 . 2010-04-11 11:14 395032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgclitx.dll
2010-04-11 11:14 . 2010-04-11 11:14 1101152 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-11 11:14 . 2010-04-11 11:14 557920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-11 11:14 . 2010-04-11 11:14 301408 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-11 11:14 . 2010-04-11 11:14 623384 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcertx.dll
2010-04-11 07:10 . 2010-04-11 07:10 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-11 07:10 . 2010-04-11 07:10 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-11 07:09 . 2010-04-11 07:09 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-11 07:09 . 2010-04-11 07:09 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-09 20:49 . 2010-04-09 20:51 -------- dc-h--w- c:\windows\ie8
2010-04-09 10:05 . 2010-04-09 10:05 -------- d-----w- c:\program files\ERUNT
2010-04-09 10:03 . 2010-04-09 10:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-09 10:03 . 2010-04-09 10:03 -------- d-----w- c:\program files\TrendMicro
2010-04-09 08:50 . 2010-04-09 08:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-09 08:28 . 2010-04-09 08:28 -------- d-----w- c:\program files\Common Files\Skype
2010-04-09 08:28 . 2010-04-09 08:28 -------- d-----r- c:\program files\Skype
2010-04-08 07:34 . 2010-04-09 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 07:34 . 2010-04-09 08:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 06:59 . 2010-04-08 07:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-08 06:55 . 2010-04-08 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\program files\NortonInstaller
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-08 06:25 . 2010-04-08 06:25 -------- d-----w- C:\$AVG
2010-04-08 02:37 . 2010-02-23 21:04 1664256 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-04-08 02:34 . 2010-04-08 02:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-08 02:34 . 2010-04-08 02:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-08 02:34 . 2010-04-08 02:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-08 02:34 . 2010-04-08 02:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-08 02:34 . 2010-04-16 10:46 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-08 02:34 . 2010-04-08 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-04-08 02:29 . 2010-04-08 02:29 -------- d-----w- c:\program files\AVG
2010-04-08 02:28 . 2010-04-16 10:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-08 00:28 . 2010-04-08 00:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
2010-04-08 00:27 . 2009-12-30 18:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-04-08 00:27 . 2010-04-08 00:27 -------- d-----w- c:\program files\VS Revo Group
2010-04-07 21:13 . 2010-04-07 21:13 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-04-05 09:51 . 2010-04-15 13:34 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-04-05 09:42 . 2010-04-05 09:42 -------- d-----w- c:\program files\VideoLAN
2010-03-20 08:21 . 2010-03-20 08:23 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\kSolo
2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\kSolo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 04:44 . 2010-03-07 15:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-15 12:12 . 2010-02-18 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 21:28 . 2005-03-23 18:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 21:20 . 2005-03-27 06:01 -------- d-----w- c:\program files\Java
2010-04-14 12:56 . 2005-03-23 16:52 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-04-12 23:05 . 2008-10-13 02:32 7 -c--a-w- c:\windows\sbacknt.bin
2010-04-12 07:37 . 2008-10-04 02:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-04-09 08:49 . 2008-10-04 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-09 08:28 . 2010-03-07 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-08 12:02 . 2010-03-07 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-04-07 23:39 . 2009-01-26 21:01 -------- d-----w- c:\program files\Bonjour
2010-04-07 23:36 . 2009-01-26 21:06 -------- d-----w- c:\program files\QuickTime
2010-04-07 23:35 . 2008-10-04 02:32 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-04-07 23:35 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\aolshare
2010-04-07 23:35 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\AOL
2010-04-07 23:29 . 2008-10-04 02:23 -------- d-----w- c:\program files\Yahoo!
2010-03-14 22:14 . 2008-09-04 10:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-14 21:44 . 2010-03-14 21:44 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-14 21:44 . 2010-03-14 21:44 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-14 21:44 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\Real
2010-03-14 21:43 . 2010-03-14 21:40 -------- d-----w- c:\program files\real
2010-03-14 21:42 . 2010-03-14 21:42 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-10 06:15 . 2005-03-23 16:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 16:20 . 2008-10-06 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-07 15:22 . 2010-03-07 15:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:24 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-03-23 16:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 23:32 . 2008-10-04 02:41 98416 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-20 23:18 . 2008-09-04 10:20 -------- d-----w- c:\program files\Microsoft Works
2010-02-17 16:10 . 2005-03-23 16:52 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-02-28 05:21 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2005-03-23 16:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-03-23 16:52 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 21:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-04-06 26102056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-12 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-08 02:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:coh
"9102:TCP"= 9102:TCP:coh2
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/7/2010 7:34 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/7/2010 7:34 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/7/2010 7:31 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/7/2010 7:31 PM 308064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/3/2008 8:24 PM 24652]
S0 kzizy;kzizy; [x]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 5:20 AM 717296]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/7/2010 7:34 PM 369920]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [9/4/2008 2:14 AM 200192]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/7/2010 5:27 PM 27064]
S3 Usbattspimpa;Usbattspimpa;c:\windows\system32\drivers\atinxbxx.sys [10/4/2008 11:49 AM 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2008-09-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2008-09-04 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2008-09-04 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2010-04-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2643034619-977133499-1762504408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2643034619-977133499-1762504408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
AddRemove-Malwarebytes' Anti-Malware_is1 - l:\malwarebytes' anti-malware\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 04:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B93AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf76d6f28
\Driver\ACPI -> ACPI.sys @ 0xf74e9cb8
\Driver\atapi -> atapi.sys @ 0xf746b852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 802.11g Network Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7332bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7321a0d
SendHandler -> NDIS.sys @ 0xf7335b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(920)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-16 04:12:37
ComboFix-quarantined-files.txt 2010-04-16 11:12

Pre-Run: 34,446,360,576 bytes free
Post-Run: 34,517,954,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C4DDB0578CEFC5786DD792C3B145921A
 
Hi oxpride85.
thank you for bearing with me and my computer
Click to expand...
You're most welcome.
Ok please continue with the instructions below.



Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
*atapi*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt



Next.

TDSSKiller
  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below, Do not include the word Code:
    Code: 
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • A log file should be created on your desktop called tdskiller.txt, Please post the contents of that log in your next reply.



Logs/Information to Post in your Next Reply

  • SystemLook.txt log.
  • tdskiller.txt log.
  • Please give me an update on your computers performance.
 
Unfortunately still getting redirected. But overall, the computer seems much improved.
here are the logs:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:44 on 16/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [05:59 04/08/2004] [05:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [23:45 04/10/2008] [13:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [11:09 16/04/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\I386\ATAPI.SY_ -----c 49558 bytes [16:49 23/03/2005] [19:00 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM -----c 881 bytes [16:49 23/03/2005] [19:00 04/08/2004] FDA00ABB8831E4903E9442E9B01843ED
C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT -----c 449 bytes [16:49 23/03/2005] [19:00 04/08/2004] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 96512 bytes [18:49 04/10/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

-=End Of File=-

12:08:03:062 1588 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:08:03:062 1588 ================================================================================
12:08:03:062 1588 SystemInfo:

12:08:03:062 1588 OS Version: 5.1.2600 ServicePack: 3.0
12:08:03:062 1588 Product type: Workstation
12:08:03:062 1588 ComputerName: SAMUEL
12:08:03:062 1588 UserName: Owner
12:08:03:062 1588 Windows directory: C:\WINDOWS
12:08:03:062 1588 Processor architecture: Intel x86
12:08:03:062 1588 Number of processors: 1
12:08:03:062 1588 Page size: 0x1000
12:08:03:078 1588 Boot type: Normal boot
12:08:03:078 1588 ================================================================================
12:08:03:078 1588 UnloadDriverW: NtUnloadDriver error 2
12:08:03:078 1588 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:08:03:250 1588 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:08:03:250 1588 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:08:03:250 1588 wfopen_ex: Trying to KLMD file open
12:08:03:250 1588 wfopen_ex: File opened ok (Flags 2)
12:08:03:250 1588 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:08:03:250 1588 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:08:03:250 1588 wfopen_ex: Trying to KLMD file open
12:08:03:250 1588 wfopen_ex: File opened ok (Flags 2)
12:08:03:250 1588 Initialize success
12:08:03:250 1588
12:08:03:250 1588 Scanning Services ...
12:08:03:921 1588 Raw services enum returned 349 services
12:08:03:953 1588
12:08:03:953 1588 Scanning Kernel memory ...
12:08:03:953 1588 Devices to scan: 5
12:08:03:953 1588
12:08:03:953 1588 Driver Name: Disk
12:08:03:953 1588 IRP_MJ_CREATE : F76D8BB0
12:08:03:953 1588 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:08:03:953 1588 IRP_MJ_CLOSE : F76D8BB0
12:08:03:953 1588 IRP_MJ_READ : F76D2D1F
12:08:03:953 1588 IRP_MJ_WRITE : F76D2D1F
12:08:03:953 1588 IRP_MJ_QUERY_INFORMATION : 804F355A
12:08:03:953 1588 IRP_MJ_SET_INFORMATION : 804F355A
12:08:03:953 1588 IRP_MJ_QUERY_EA : 804F355A
12:08:03:953 1588 IRP_MJ_SET_EA : 804F355A
12:08:03:953 1588 IRP_MJ_FLUSH_BUFFERS : F76D32E2
12:08:03:953 1588 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:08:03:953 1588 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:08:03:953 1588 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:08:03:953 1588 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:08:03:953 1588 IRP_MJ_DEVICE_CONTROL : F76D33BB
12:08:03:953 1588 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76D6F28
12:08:03:953 1588 IRP_MJ_SHUTDOWN : F76D32E2
12:08:03:953 1588 IRP_MJ_LOCK_CONTROL : 804F355A
12:08:03:953 1588 IRP_MJ_CLEANUP : 804F355A
12:08:03:953 1588 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:08:03:953 1588 IRP_MJ_QUERY_SECURITY : 804F355A
12:08:03:953 1588 IRP_MJ_SET_SECURITY : 804F355A
12:08:03:953 1588 IRP_MJ_POWER : F76D4C82
12:08:03:953 1588 IRP_MJ_SYSTEM_CONTROL : F76D999E
12:08:03:953 1588 IRP_MJ_DEVICE_CHANGE : 804F355A
12:08:03:953 1588 IRP_MJ_QUERY_QUOTA : 804F355A
12:08:03:953 1588 IRP_MJ_SET_QUOTA : 804F355A
12:08:04:000 1588 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:08:04:000 1588
12:08:04:000 1588 Driver Name: MXOPSWD
12:08:04:000 1588 IRP_MJ_CREATE : F77D607A
12:08:04:000 1588 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:08:04:000 1588 IRP_MJ_CLOSE : F77D607A
12:08:04:015 1588 IRP_MJ_READ : 804F355A
12:08:04:015 1588 IRP_MJ_WRITE : 804F355A
12:08:04:015 1588 IRP_MJ_QUERY_INFORMATION : 804F355A
12:08:04:015 1588 IRP_MJ_SET_INFORMATION : 804F355A
12:08:04:015 1588 IRP_MJ_QUERY_EA : 804F355A
12:08:04:015 1588 IRP_MJ_SET_EA : 804F355A
12:08:04:015 1588 IRP_MJ_FLUSH_BUFFERS : 804F355A
12:08:04:015 1588 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:08:04:015 1588 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:08:04:015 1588 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:08:04:015 1588 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:08:04:015 1588 IRP_MJ_DEVICE_CONTROL : F77D7712
12:08:04:015 1588 IRP_MJ_INTERNAL_DEVICE_CONTROL : F77D76E6
12:08:04:015 1588 IRP_MJ_SHUTDOWN : 804F355A
12:08:04:015 1588 IRP_MJ_LOCK_CONTROL : 804F355A
12:08:04:015 1588 IRP_MJ_CLEANUP : 804F355A
12:08:04:015 1588 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:08:04:015 1588 IRP_MJ_QUERY_SECURITY : 804F355A
12:08:04:015 1588 IRP_MJ_SET_SECURITY : 804F355A
12:08:04:015 1588 IRP_MJ_POWER : F77D6B6A
12:08:04:015 1588 IRP_MJ_SYSTEM_CONTROL : F77D7746
12:08:04:015 1588 IRP_MJ_DEVICE_CHANGE : 804F355A
12:08:04:015 1588 IRP_MJ_QUERY_QUOTA : 804F355A
12:08:04:015 1588 IRP_MJ_SET_QUOTA : 804F355A
12:08:04:031 1588 C:\WINDOWS\system32\DRIVERS\mxopswd.sys - Verdict: 1
12:08:04:031 1588
12:08:04:031 1588 Driver Name: Disk
12:08:04:031 1588 IRP_MJ_CREATE : F76D8BB0
12:08:04:031 1588 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:08:04:031 1588 IRP_MJ_CLOSE : F76D8BB0
12:08:04:031 1588 IRP_MJ_READ : F76D2D1F
12:08:04:031 1588 IRP_MJ_WRITE : F76D2D1F
12:08:04:031 1588 IRP_MJ_QUERY_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_SET_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_EA : 804F355A
12:08:04:031 1588 IRP_MJ_SET_EA : 804F355A
12:08:04:031 1588 IRP_MJ_FLUSH_BUFFERS : F76D32E2
12:08:04:031 1588 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_DEVICE_CONTROL : F76D33BB
12:08:04:031 1588 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76D6F28
12:08:04:031 1588 IRP_MJ_SHUTDOWN : F76D32E2
12:08:04:031 1588 IRP_MJ_LOCK_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_CLEANUP : 804F355A
12:08:04:031 1588 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_SECURITY : 804F355A
12:08:04:031 1588 IRP_MJ_SET_SECURITY : 804F355A
12:08:04:031 1588 IRP_MJ_POWER : F76D4C82
12:08:04:031 1588 IRP_MJ_SYSTEM_CONTROL : F76D999E
12:08:04:031 1588 IRP_MJ_DEVICE_CHANGE : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_QUOTA : 804F355A
12:08:04:031 1588 IRP_MJ_SET_QUOTA : 804F355A
12:08:04:031 1588 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:08:04:031 1588
12:08:04:031 1588 Driver Name: Disk
12:08:04:031 1588 IRP_MJ_CREATE : F76D8BB0
12:08:04:031 1588 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:08:04:031 1588 IRP_MJ_CLOSE : F76D8BB0
12:08:04:031 1588 IRP_MJ_READ : F76D2D1F
12:08:04:031 1588 IRP_MJ_WRITE : F76D2D1F
12:08:04:031 1588 IRP_MJ_QUERY_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_SET_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_EA : 804F355A
12:08:04:031 1588 IRP_MJ_SET_EA : 804F355A
12:08:04:031 1588 IRP_MJ_FLUSH_BUFFERS : F76D32E2
12:08:04:031 1588 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:08:04:031 1588 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_DEVICE_CONTROL : F76D33BB
12:08:04:031 1588 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76D6F28
12:08:04:031 1588 IRP_MJ_SHUTDOWN : F76D32E2
12:08:04:031 1588 IRP_MJ_LOCK_CONTROL : 804F355A
12:08:04:031 1588 IRP_MJ_CLEANUP : 804F355A
12:08:04:031 1588 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_SECURITY : 804F355A
12:08:04:031 1588 IRP_MJ_SET_SECURITY : 804F355A
12:08:04:031 1588 IRP_MJ_POWER : F76D4C82
12:08:04:031 1588 IRP_MJ_SYSTEM_CONTROL : F76D999E
12:08:04:031 1588 IRP_MJ_DEVICE_CHANGE : 804F355A
12:08:04:031 1588 IRP_MJ_QUERY_QUOTA : 804F355A
12:08:04:031 1588 IRP_MJ_SET_QUOTA : 804F355A
12:08:04:031 1588 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:08:04:031 1588
12:08:04:031 1588 Driver Name: atapi
12:08:04:031 1588 IRP_MJ_CREATE : 86ABFAC8
12:08:04:031 1588 IRP_MJ_CREATE_NAMED_PIPE : 86ABFAC8
12:08:04:031 1588 IRP_MJ_CLOSE : 86ABFAC8
12:08:04:031 1588 IRP_MJ_READ : 86ABFAC8
12:08:04:031 1588 IRP_MJ_WRITE : 86ABFAC8
12:08:04:031 1588 IRP_MJ_QUERY_INFORMATION : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SET_INFORMATION : 86ABFAC8
12:08:04:031 1588 IRP_MJ_QUERY_EA : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SET_EA : 86ABFAC8
12:08:04:031 1588 IRP_MJ_FLUSH_BUFFERS : 86ABFAC8
12:08:04:031 1588 IRP_MJ_QUERY_VOLUME_INFORMATION : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SET_VOLUME_INFORMATION : 86ABFAC8
12:08:04:031 1588 IRP_MJ_DIRECTORY_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_FILE_SYSTEM_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_DEVICE_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SHUTDOWN : 86ABFAC8
12:08:04:031 1588 IRP_MJ_LOCK_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_CLEANUP : 86ABFAC8
12:08:04:031 1588 IRP_MJ_CREATE_MAILSLOT : 86ABFAC8
12:08:04:031 1588 IRP_MJ_QUERY_SECURITY : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SET_SECURITY : 86ABFAC8
12:08:04:031 1588 IRP_MJ_POWER : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SYSTEM_CONTROL : 86ABFAC8
12:08:04:031 1588 IRP_MJ_DEVICE_CHANGE : 86ABFAC8
12:08:04:031 1588 IRP_MJ_QUERY_QUOTA : 86ABFAC8
12:08:04:031 1588 IRP_MJ_SET_QUOTA : 86ABFAC8
12:08:04:031 1588 Driver "atapi" infected by TDSS rootkit!
12:08:04:062 1588 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
12:08:04:062 1588 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:08:04:062 1588 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
12:08:04:062 1588 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:08:04:421 1588 vfvi6
12:08:04:562 1588 !dsvbh1
12:08:07:359 1588 dsvbh2
12:08:07:359 1588 fdfb2
12:08:07:359 1588 Backup copy found, using it..
12:08:07:375 1588 will be cured on next reboot
12:08:07:375 1588 Reboot required for cure complete..
12:08:07:375 1588 Cure on reboot scheduled successfully
12:08:07:375 1588
12:08:07:375 1588 Completed
12:08:07:375 1588
12:08:07:375 1588 Results:
12:08:07:375 1588 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:08:07:375 1588 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:08:07:375 1588 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:08:07:375 1588
12:08:07:375 1588 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:08:07:375 1588 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:08:07:375 1588 UnloadDriverW: NtUnloadDriver error 1
12:08:07:375 1588 KLMD(ARK) unloaded successfully
 
Hi oxpride85.

Ok I need you to run the GMER scan again but slightly different this time. The last time you unchecked Sections, this time I'd like you to leave it checked.



  • Double click the .exe file ( 5tqmsmrl.exe ). If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    GMER_2.png

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.



Logs/Information to Post in your Next Reply

  • Gmer.txt log.
  • Please give me an update on your computers performance.
 
Nothing new...still getting redirected!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 17:18:39
Windows 5.1.2600 Service Pack 3
Running: 5tqmsmrl.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uwtdypob.sys


---- System - GMER 1.0.15 ----

SSDT spgt.sys ZwCreateKey [0xF74120E0]
SSDT spgt.sys ZwEnumerateKey [0xF7430CA2]
SSDT spgt.sys ZwEnumerateValueKey [0xF7431030]
SSDT spgt.sys ZwOpenKey [0xF74120C0]
SSDT spgt.sys ZwQueryKey [0xF7431108]
SSDT spgt.sys ZwQueryValueKey [0xF7430F88]
SSDT spgt.sys ZwSetValueKey [0xF743119A]

INT 0x63 ? 8716ABF8
INT 0xA4 ? 871D4BF8
INT 0xA4 ? 871D4BF8
INT 0xA4 ? 871D4BF8
INT 0xA4 ? 871D4BF8

---- Kernel code sections - GMER 1.0.15 ----

? klmdb.sys The system cannot find the file specified. !
? spgt.sys The system cannot find the file specified. !
? tsk4.tmp The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6F648AC 5 Bytes JMP 871D41D8
.text a5atwvg9.SYS F6DEF386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a5atwvg9.SYS F6DEF3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a5atwvg9.SYS F6DEF3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text a5atwvg9.SYS F6DEF3C9 1 Byte [2E]
.text a5atwvg9.SYS F6DEF3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
.rsrc C:\WINDOWS\system32\DRIVERS\ipsec.sys entry point in ".rsrc" section [0xF2AAF614]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1432] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1432] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0247000A
.text C:\WINDOWS\System32\svchost.exe[1432] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0246000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 871571F8
Device \FileSystem\Fastfat \FatCdrom 86D0A500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\NetBT \Device\NetBT_Tcpip_{D6309E1C-707A-4E17-8702-AB9170A19514} 86D08500

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 871671F8
Device \Driver\usbohci \Device\USBPDO-1 871671F8
Device \Driver\usbehci \Device\USBPDO-2 871D51F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\USBSTOR \Device\000000a1 86AD7500
Device \Driver\NetBT \Device\NetBT_Tcpip_{380185D3-DC78-4C24-873E-054F0E711349} 86D08500
Device \Driver\Ftdisk \Device\HarddiskVolume1 871D61F8
Device \Driver\USBSTOR \Device\000000a3 86AD7500
Device \Driver\Ftdisk \Device\HarddiskVolume2 871D61F8
Device \Driver\Cdrom \Device\CdRom0 871681F8
Device \Driver\Cdrom \Device\CdRom1 871681F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 871D61F8
Device \Driver\atapi \Device\Ide\IdePort0 tsk4.tmp
Device \Driver\atapi \Device\Ide\IdePort1 tsk4.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e tsk4.tmp
Device \Driver\Cdrom \Device\CdRom2 871681F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86D08500
Device \Driver\NetBT \Device\NetbiosSmb 86D08500

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbohci \Device\USBFDO-0 871671F8
Device \Driver\PCI_PNP8314 \Device\0000006c spgt.sys
Device \Driver\usbohci \Device\USBFDO-1 871671F8
Device \Driver\sptd \Device\1296439564 spgt.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86A82500
Device \Driver\usbehci \Device\USBFDO-2 871D51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86A82500
Device \Driver\Ftdisk \Device\FtControl 871D61F8
Device \Driver\a5atwvg9 \Device\Scsi\a5atwvg91Port2Path0Target1Lun0 86F96500
Device \Driver\a5atwvg9 \Device\Scsi\a5atwvg91 86F96500
Device \Driver\a5atwvg9 \Device\Scsi\a5atwvg91Port2Path0Target0Lun0 86F96500
Device \FileSystem\Fastfat \Fat 86D0A500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 866401F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 86AFBAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAE 0x7D 0x09 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEE 0xF0 0x56 0xCE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0xED 0xC6 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF4 0xA7 0x9F 0xC9 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
Hi oxpride85.
you have a rootkit called TDL3, this is a new varient and it can be very difficult to remove.
Lets try this please continue with the instructions below then let me know if you still get redirects.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.

Next.

  • Please navigate to Start >> All Programs >> ERUNT, then double-click ERUNT from the menu.
  • Click on OK within the pop-up menu.
  • In the next menu under C:\WINDOWS\ERDNT\DD-MM-YYYY under Backup options make sure both the following are selected:
    • System registry.
    • Current user registry.
  • Next click on "OK"... at the prompt... reply "Yes".
    After a short duration the Registry backup is complete! pop-up message will appear.
  • Now click on "OK". A registry backup has now been created.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: 
    TDL::
C:\WINDOWS\system32\DRIVERS\ipsec.sys 

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"=-
"9102:TCP"=-
"5353:TCP"=-

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    ComboFixScriptDrag.gif

    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.



Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Please give me an update on your computers performance.
 
Good news! Looks like the redirects have stopped. Ive been doing many searches on different search engines just to test it and so far nothing has been redirected! Hope that it stays lie that...

Heres the combofix log:
ComboFix 10-04-15.05 - Owner 04/17/2010 5:05.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.620 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\ipsec.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\DRIVERS\ipsec.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-17 to 2010-04-17 )))))))))))))))))))))))))))))))
.

2010-04-16 11:07 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-04-16 11:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-04-15 05:09 . 2010-04-15 05:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-14 21:23 . 2010-04-14 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-14 21:21 . 2010-04-14 21:21 -------- d-----w- c:\program files\Common Files\Java
2010-04-14 21:20 . 2010-04-14 21:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-14 11:15 . 2010-04-14 11:15 -------- d-----w- C:\_OTM
2010-04-14 00:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 00:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 00:31 . 2010-04-14 00:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-13 23:17 . 2010-04-15 11:32 -------- d-----w- c:\program files\trend micro
2010-04-13 23:16 . 2010-04-13 23:21 -------- d-----w- C:\rsit
2010-04-13 23:07 . 2010-04-13 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-13 13:57 . 2010-04-14 11:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-12 08:48 . 2008-04-14 01:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2010-04-12 08:48 . 2008-04-14 01:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2010-04-12 08:42 . 2010-04-12 08:42 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-09 20:49 . 2010-04-09 20:51 -------- dc-h--w- c:\windows\ie8
2010-04-09 10:05 . 2010-04-09 10:05 -------- d-----w- c:\program files\ERUNT
2010-04-09 10:03 . 2010-04-09 10:03 -------- d-----w- c:\program files\TrendMicro
2010-04-09 08:50 . 2010-04-09 08:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2010-04-09 08:28 . 2010-04-09 08:28 -------- d-----w- c:\program files\Common Files\Skype
2010-04-09 08:28 . 2010-04-09 08:28 -------- d-----r- c:\program files\Skype
2010-04-08 07:34 . 2010-04-09 08:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 07:34 . 2010-04-09 08:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 06:59 . 2010-04-08 07:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-08 06:55 . 2010-04-08 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\program files\NortonInstaller
2010-04-08 06:55 . 2010-04-08 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-04-08 06:25 . 2010-04-08 06:25 -------- d-----w- C:\$AVG
2010-04-08 02:34 . 2010-04-08 02:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-08 02:34 . 2010-04-08 02:34 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-08 02:34 . 2010-04-08 02:34 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-08 02:34 . 2010-04-08 02:34 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-08 02:34 . 2010-04-17 00:39 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-08 02:29 . 2010-04-08 02:29 -------- d-----w- c:\program files\AVG
2010-04-08 02:28 . 2010-04-16 11:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-08 00:28 . 2010-04-08 00:28 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
2010-04-08 00:27 . 2009-12-30 18:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-04-08 00:27 . 2010-04-08 00:27 -------- d-----w- c:\program files\VS Revo Group
2010-04-07 21:13 . 2010-04-07 21:13 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-04-05 09:51 . 2010-04-17 09:32 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-04-05 09:42 . 2010-04-05 09:42 -------- d-----w- c:\program files\VideoLAN
2010-03-20 08:21 . 2010-03-20 08:23 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\kSolo
2010-03-20 08:21 . 2010-03-20 08:21 -------- d-----w- c:\program files\kSolo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 03:00 . 2010-03-07 15:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2010-04-16 18:43 . 2010-04-16 18:43 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-04-16 18:43 . 2010-04-16 18:43 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-04-16 18:43 . 2010-04-16 18:43 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-04-16 18:43 . 2010-04-16 18:43 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-04-16 18:43 . 2010-04-16 18:43 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-04-16 18:43 . 2010-04-16 18:43 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll
2010-04-16 18:42 . 2010-04-16 18:42 4250976 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-04-16 18:42 . 2010-04-16 18:42 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll
2010-04-16 18:42 . 2010-04-16 18:42 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll
2010-04-16 18:42 . 2010-04-16 18:42 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2010-04-16 18:42 . 2010-04-16 18:42 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe
2010-04-16 18:42 . 2010-04-16 18:42 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-04-16 18:41 . 2010-04-16 18:41 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-04-16 18:41 . 2010-04-16 18:41 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-04-16 18:40 . 2010-03-07 15:22 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2010-04-15 12:12 . 2010-02-18 07:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-14 21:28 . 2005-03-23 18:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 21:24 . 2010-04-14 21:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-14 21:21 . 2010-04-14 21:21 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dd0def2-n\decora-d3d.dll
2010-04-14 21:21 . 2010-04-14 21:21 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-1dd0def2-n\decora-sse.dll
2010-04-14 21:21 . 2010-04-14 21:21 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\msvcp71.dll
2010-04-14 21:21 . 2010-04-14 21:21 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\jmc.dll
2010-04-14 21:21 . 2010-04-14 21:21 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2bd188cf-n\msvcr71.dll
2010-04-14 21:20 . 2005-03-27 06:01 -------- d-----w- c:\program files\Java
2010-04-14 12:56 . 2005-03-23 16:52 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-04-12 23:05 . 2008-10-13 02:32 7 -c--a-w- c:\windows\sbacknt.bin
2010-04-12 07:37 . 2008-10-04 02:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-04-11 11:14 . 2010-04-11 11:14 395032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgclitx.dll
2010-04-11 11:14 . 2010-04-11 11:14 623384 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcertx.dll
2010-04-11 07:09 . 2010-04-11 07:09 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-04-11 07:09 . 2010-04-11 07:09 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-04-09 10:03 . 2010-04-09 10:03 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-09 08:49 . 2008-10-04 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-09 08:28 . 2010-03-07 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-04-07 23:39 . 2009-01-26 21:01 -------- d-----w- c:\program files\Bonjour
2010-04-07 23:36 . 2009-01-26 21:06 -------- d-----w- c:\program files\QuickTime
2010-04-07 23:35 . 2008-10-04 02:32 -------- dcsh--w- c:\program files\Common Files\WindowsLiveInstaller
2010-04-07 23:35 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\aolshare
2010-04-07 23:35 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\AOL
2010-04-07 23:29 . 2008-10-04 02:23 -------- d-----w- c:\program files\Yahoo!
2010-03-14 22:14 . 2008-09-04 10:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-14 21:44 . 2010-03-14 21:44 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-14 21:44 . 2010-03-14 21:44 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-14 21:44 . 2010-03-14 21:44 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-14 21:44 . 2008-09-04 10:21 -------- d-----w- c:\program files\Common Files\Real
2010-03-14 21:43 . 2010-03-14 21:40 -------- d-----w- c:\program files\real
2010-03-14 21:42 . 2010-03-14 21:42 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-10 06:15 . 2005-03-23 16:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 16:20 . 2008-10-06 19:34 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2010-03-07 15:22 . 2010-03-07 15:22 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-02-25 06:24 . 2005-03-23 16:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2005-03-23 16:52 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 23:32 . 2008-10-04 02:41 98416 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-20 23:18 . 2008-09-04 10:20 -------- d-----w- c:\program files\Microsoft Works
2010-02-17 16:10 . 2005-03-23 16:52 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 05:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-02-28 05:21 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2005-03-23 16:52 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2005-03-23 16:52 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-14 202256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-12 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-08 02:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/7/2010 7:34 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/7/2010 7:34 PM 242696]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/7/2010 7:31 PM 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/7/2010 7:31 PM 308064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/3/2008 8:24 PM 24652]
S0 kzizy;kzizy; [x]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [9/4/2008 2:14 AM 200192]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/7/2010 5:27 PM 27064]
S3 Usbattspimpa;Usbattspimpa;c:\windows\system32\drivers\atinxbxx.sys [10/4/2008 11:49 AM 31744]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/25/2008 5:20 AM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2008-09-04 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2008-09-04 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2008-09-04 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2010-04-17 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2643034619-977133499-1762504408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2643034619-977133499-1762504408-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-17 05:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3528)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-17 05:24:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-17 12:24
ComboFix2.txt 2010-04-16 11:12

Pre-Run: 32,930,181,120 bytes free
Post-Run: 34,038,943,744 bytes free

- - End Of File - - 98E730251E56A607FAFD5A2EB45820FC
 
Hi oxpride85.
Good news! Looks like the redirects have stopped.
Click to expand...
Good work it looks like that last ComboFix script got it :bigthumb:

Lest get one more check with the Kaspersky Online Scan.



Please run ATF Cleaner again it should still be on you're desktop.


Next.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the below scan.

Next.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to the Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan. * This will take a while. Please be patient *.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

This online tutorial will help explain how to use the aforementioned online scan.



Logs/Information to Post in your Next Reply

  • Kaspersky log.
  • Please give me an update on your computers performance.
 
Computer is looking good! No more signs of funny business

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, April 17, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, April 17, 2010 17:51:00
Records in database: 3949485
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
L:\

Scan statistics:
Objects scanned: 101200
Threats found: 11
Infected objects found: 19
Suspicious objects found: 0
Scan duration: 04:34:34


File name / Threat / Threats count
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP483\A0045963.dll Infected: Trojan.Win32.Stuh.anyl 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP483\A0045964.dll Infected: Trojan.Win32.Stuh.anyl 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046740.dll Infected: Trojan.Win32.Monder.desq 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046741.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP491\A0046742.dll Infected: Trojan.Win32.Stuh.anzj 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046784.dll Infected: Trojan.Win32.Monder.detk 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046785.dll Infected: Trojan.Win32.Monder.desv 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP492\A0046786.dll Infected: Trojan.Win32.Monder.detm 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP499\A0050994.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP500\A0057109.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP500\A0057160.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP501\A0057161.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP501\A0057189.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP502\A0060330.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0061327.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0061328.dll Infected: Trojan.Win32.Monder.deuf 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0062708.exe Infected: Trojan.Win32.Fraudpack.aqix 1
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP503\A0062714.exe Infected: Packed.Win32.Katusha.j 1
C:\WINDOWS\system32\drivers\etc\hosts.20090715-030606.backup Infected: Trojan.Win32.Qhost.mcf 1

Selected area has been scanned.
 
Hi oxpride85.
Computer is looking good! No more signs of funny business.
Click to expand...
Great news :)
Most of what the Kaspersky scan found will be cleared when we flush you're system restore points.
One last thing to do before i give you final instructions.

Download HostsXpert and unzip it to your computer, somewhere where you can find it but don't run it yet.

Next.

Re-run OTM
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: 
    :Files
C:\WINDOWS\system32\drivers\etc\hosts
:Commands
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTM, right-click then paste the code into the blank box below
      pasteline.png
    • Push the large
      btnmoveit.png
      button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Next.

  • Double click on HostsXpert.exe to launch the programme.
  • When prompted with:
    HOSTS file does not exist, press OK to create HOSTS file, Cancel to quit.
  • Select OK.
  • Check to see if top button on left hand side says Make Writable?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition
  • When prompted to confirm, click OK.
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only? to secure it against infection.
  • Exit the programme.


Logs/Information to Post in your Next Reply

  • OTM log.
  • Please give me an update on your computers performance.
 
Everything's looking good!

heres the OtM log:
All processes killed
========== FILES ==========
C:\WINDOWS\system32\drivers\etc\hosts moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

User: Administrator.SAMUEL
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 685 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 8202 bytes

User: Owner
->Temp folder emptied: 104259365 bytes
->Temporary Internet Files folder emptied: 108178562 bytes
->Java cache emptied: 136773 bytes
->Flash cache emptied: 8178 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 110 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 203.00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 04182010_230313

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DF83BE.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XRU023RJ\showthread[1].php moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...
 
Hi oxpride85 your latest set of logs appear to be clean! :)
This is my general post for when your logs show no more signs of malware.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Time for some housekeeping
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Next.

Clean up with OTM

  • Double-click OTM.exe to start the program, This tool will remove all the tools we used to clean your pc.
  • Close all other programs apart from OTMoveIt3 as this step will require a reboot
  • On the OTM main screen, press the CleanUp! button
  • Say Yes to the prompt and then allow the program to reboot your computer.

You can now delete any tools we used if they remain on your Desktop.


Next.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

Here are some free programs I recommend that could help you improve your computer's security.

I recommend you keep Malwarebytes' Anti-Malware, keep it updated and run it once a week.

Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here

Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE

MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE

Read some information HERE On how to prevent Malware

Is your pc running slow?
Read What to do if your Computer is running slowly

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Safe surfing!
 
Thank You!!!

Thank you so much for all your help Cypher!! Saved me from bashing in my computer...:laugh:lol:laugh: Couldn't have done it without you.

ps:my computer thanks you too:D:

I'll do my best to keep my computer safe, hopefully I wont need to come back here again!
 
Status
Not open for further replies.
Back
Top