Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: Browser redirects and possible rootkit  (Read 15196 times)

0 Members and 1 Guest are viewing this topic.

Brant Farris

    Topic Starter


    Greenhorn

    Browser redirects and possible rootkit
    « on: March 01, 2010, 07:11:44 PM »
    After installing a MS update, the computer failed to reboot.  Upon checking the internet I found how to remove the update and get windows back, but am unable to find the virus/malware/rootkit.  Both browsers (firefox and IE 8) are trying to redirect me to websites that are not what I typed in.  I have scanned with an updated Malwarebytes, AVG free and some online scanners but cannot figure out what is the problem.  Below is my post of the HJT log.  Please help me to fix this computer.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:08:39 PM, on 3/1/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\sniper.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228618616578
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

    --
    End of file - 8375 bytes
    Logged

    evilfantasy

    • Malware Removal Specialist


      • Genius
    • Calm like a bomb
      • Thanked: 493
    • Experience: Experienced
    • OS: Windows 11
    Re: Browser redirects and possible rootkit
    « Reply #1 on: March 02, 2010, 10:13:27 AM »
    Welcome to CH.

    1. Close all open Web browsers.
    2. From the Start menu in Windows select Control Panel.
    3. Select Add or Remove  Programs.
    4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

    - Ask.com
    - Ask Bar
    - Ask Desktop Search
    - Ask Search
    - Ask Toolbar
    - Ask Jeeves

    5. Click Change/Remove for each  and uninstall all found.

    ----------

    Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

    Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

    Exit out of MessengerDisable then delete the two files that were put on the desktop.

    ----------

    Open HijackThis and select Do a system scan only

    Place a check mark next to the following entries: (if there)

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    Important: Close all open windows except for HijackThis and then click Fix checked.

    Once completed, exit HijackThis.

    ----------

    If you already have ComboFix be sure to delete it and download a new copy.

    Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note:  It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
     
    Double click combofix.exe & follow the prompts.
    Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
    When finished ComboFix will produce a log for you.
    Post the ComboFix log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

    If you have problems with ComboFix usage, see How to use ComboFix
    Logged

    Brant Farris

      Topic Starter


      Greenhorn

      Re: Browser redirects and possible rootkit
      « Reply #2 on: March 04, 2010, 08:31:12 PM »
      ComboFix 10-03-03.03 - Owner 03/03/2010  21:05:36.2.1 - x86
      Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -6:00]
      Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
      AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
      .

      (((((((((((((((((((((((((   Files Created from 2010-02-04 to 2010-03-04  )))))))))))))))))))))))))))))))
      .

      2010-03-02 01:39 . 2010-03-02 01:39   503808   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\msvcp71.dll
      2010-03-02 01:39 . 2010-03-02 01:39   499712   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\jmc.dll
      2010-03-02 01:39 . 2010-03-02 01:39   348160   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\msvcr71.dll
      2010-03-02 01:39 . 2010-03-02 01:39   61440   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-174915d5-n\decora-sse.dll
      2010-03-02 01:39 . 2010-03-02 01:39   12800   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-174915d5-n\decora-d3d.dll
      2010-03-01 03:15 . 2010-03-01 03:20   0   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
      2010-03-01 01:18 . 2010-03-01 01:18   --------   d-----w-   c:\program files\CCleaner
      2010-03-01 01:03 . 2010-03-01 01:03   --------   d-----w-   c:\program files\ESET
      2010-03-01 00:52 . 2010-03-01 00:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\F-Secure
      2010-03-01 00:16 . 2010-02-27 07:20   77312   ----a-w-   C:\mbr.exe
      2010-02-27 07:07 . 2010-02-27 07:07   --------   d-----w-   c:\program files\Trend Micro
      2010-02-27 02:39 . 2010-02-27 04:54   --------   d-----w-   C:\$AVG
      2010-02-27 02:39 . 2010-02-27 02:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
      2010-02-24 05:53 . 2010-02-24 05:53   52224   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
      2010-02-24 05:52 . 2010-02-25 14:00   117760   ----a-w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
      2010-02-24 05:52 . 2010-02-24 05:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
      2010-02-24 05:52 . 2010-02-24 05:52   --------   d-----w-   c:\program files\SUPERAntiSpyware
      2010-02-24 05:52 . 2010-02-24 05:52   --------   d-----w-   c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
      2010-02-24 05:52 . 2010-02-24 05:52   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
      2010-02-20 19:06 . 2009-02-08 00:02   2066048   -c--a-w-   c:\windows\system32\dllcache\ntkrnlpa.exe
      2010-02-20 19:06 . 2009-02-08 00:02   2066048   ------w-   c:\windows\system32\ntkrnlpa.exe
      2010-02-20 19:06 . 2009-02-06 11:08   2189056   -c--a-w-   c:\windows\system32\dllcache\ntoskrnl.exe
      2010-02-20 19:06 . 2009-02-06 11:08   2189056   ------w-   c:\windows\system32\ntoskrnl.exe
      2010-02-20 19:06 . 2009-02-06 11:06   2145280   -c--a-w-   c:\windows\system32\dllcache\ntkrnlmp.exe
      2010-02-20 19:06 . 2009-02-06 10:32   2023936   -c--a-w-   c:\windows\system32\dllcache\ntkrpamp.exe
      2010-02-20 06:54 . 2010-02-20 06:55   --------   d-----w-   C:\2bdf826724bc762ab56c8ced
      2010-02-19 14:02 . 2010-02-19 14:02   --------   d-----w-   c:\documents and settings\Owner\Application Data\Malwarebytes
      2010-02-19 14:02 . 2010-01-07 22:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
      2010-02-19 14:02 . 2010-02-19 14:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
      2010-02-19 14:02 . 2010-02-19 14:02   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
      2010-02-19 14:02 . 2010-01-07 22:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
      2010-02-19 03:06 . 2010-02-21 06:10   --------   d-----w-   c:\program files\Windows Live Safety Center
      2010-02-19 02:39 . 2010-02-19 02:39   --------   d-----w-   c:\program files\Sophos
      2010-02-19 02:37 . 2008-04-14 00:11   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
      2010-02-19 02:37 . 2008-04-14 00:11   21504   ----a-w-   c:\windows\system32\hidserv.dll
      2010-02-19 01:07 . 2010-02-19 01:07   1339288   ----a-w-   C:\sar_15_sfx.exe
      2010-02-10 03:04 . 2009-11-21 15:51   471552   -c----w-   c:\windows\system32\dllcache\aclayers.dll
      2010-02-10 03:02 . 2009-10-15 16:28   81920   -c----w-   c:\windows\system32\dllcache\fontsub.dll
      2010-02-10 03:02 . 2009-10-15 16:28   119808   -c----w-   c:\windows\system32\dllcache\t2embed.dll
      2010-02-10 03:02 . 2009-06-21 21:44   153088   -c----w-   c:\windows\system32\dllcache\triedit.dll
      2010-02-10 03:01 . 2009-07-10 13:27   1315328   -c----w-   c:\windows\system32\dllcache\msoe.dll
      2010-02-10 01:25 . 2010-02-10 01:25   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\The Weather Channel
      2010-02-10 00:00 . 2010-02-10 00:00   --------   d-sh--w-   c:\documents and settings\Owner\PrivacIE
      2010-02-09 23:46 . 2010-02-09 23:44   53248   ----a-w-   c:\windows\system32\palmdevc.dll
      2010-02-09 23:18 . 2010-02-09 23:18   --------   d-sh--w-   c:\documents and settings\Owner\IECompatCache
      2010-02-09 21:09 . 2006-03-27 23:53   167808   ----a-w-   c:\windows\system32\drivers\wg111v2.sys
      2010-02-09 21:09 . 2002-10-02 14:57   13532   ----a-w-   c:\windows\system32\drivers\SjyPkt.sys
      2010-02-09 21:09 . 2010-02-09 21:09   --------   d-----w-   c:\program files\NETGEAR
      2010-02-09 21:09 . 2006-04-11 00:41   200704   ----a-w-   c:\windows\system32\WG1v2Lib.dll
      2010-02-09 21:09 . 2005-12-29 06:16   114688   ----a-r-   c:\windows\system32\EnumDev111.dll
      2010-02-09 21:09 . 2005-04-01 17:43   66048   ----a-w-   c:\windows\system32\drivers\EAPPkt.sys
      2010-02-09 21:09 . 2003-11-18 15:27   155648   ----a-w-   c:\windows\system32\IpLib.dll
      2010-02-09 21:09 . 2010-02-09 21:09   --------   d-----w-   c:\windows\OPTIONS

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-03-04 02:56 . 2008-12-07 03:28   --------   d-----w-   c:\program files\Spybot - Search & Destroy
      2010-03-04 02:55 . 2008-12-07 03:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
      2010-03-02 02:03 . 2008-12-07 03:24   --------   d-----w-   c:\program files\Common Files\Java
      2010-03-02 01:39 . 2008-12-07 03:07   --------   d-----w-   c:\program files\Java
      2010-02-27 02:39 . 2008-12-07 03:15   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
      2010-02-27 02:39 . 2008-12-07 03:15   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
      2010-02-27 02:39 . 2008-12-07 03:15   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
      2010-02-27 02:39 . 2008-12-07 03:15   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
      2010-02-27 02:39 . 2008-12-07 03:14   --------   d-----w-   c:\program files\AVG
      2010-02-20 04:38 . 2008-12-30 07:08   --------   d-----w-   c:\program files\Windows Live
      2010-02-20 04:26 . 2008-12-08 21:36   46648   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-02-19 21:13 . 2008-12-25 18:29   --------   d-----w-   c:\documents and settings\Owner\Application Data\LimeWire
      2010-02-15 20:15 . 2009-06-26 19:50   --------   d-----w-   c:\program files\Canon
      2010-02-12 06:18 . 2009-01-10 17:43   --------   d-----w-   c:\program files\Microsoft Silverlight
      2010-02-11 17:59 . 2008-12-25 18:29   --------   d-----w-   c:\program files\LimeWire
      2010-02-09 23:45 . 2008-12-21 06:32   --------   d-----w-   c:\program files\Palm
      2010-02-09 23:44 . 2008-12-21 06:32   16694   ----a-w-   c:\windows\system32\drivers\PalmUSBD.sys
      2010-02-09 23:27 . 2008-12-07 03:03   --------   d-----w-   c:\program files\Google
      2010-02-09 21:09 . 2008-12-07 02:52   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2010-02-09 21:08 . 2008-12-07 02:52   --------   d-----w-   c:\program files\Common Files\InstallShield
      2010-02-08 05:18 . 2009-12-26 17:37   256   ----a-w-   c:\windows\system32\pool.bin
      2009-12-31 16:50 . 2004-08-04 05:14   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
      2009-12-21 19:14 . 2004-08-04 06:56   916480   ------w-   c:\windows\system32\wininet.dll
      2009-12-17 23:14 . 2008-12-07 03:07   411368   ----a-w-   c:\windows\system32\deploytk.dll
      2009-12-16 18:43 . 2008-12-06 05:58   343040   ----a-w-   c:\windows\system32\mspaint.exe
      2009-12-14 07:08 . 2004-08-04 06:56   33280   ----a-w-   c:\windows\system32\csrsrv.dll
      2009-12-04 18:22 . 2004-08-04 05:15   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
      2009-01-24 17:52 . 2009-01-24 17:52   92609500   ----a-w-   c:\program files\Project_Dalaran_Version_14.exe
      .

      (((((((((((((((((((((((((((((   SnapShot@2010-02-24_05.47.25   )))))))))))))))))))))))))))))))))))))))))
      .
      + 2009-07-12 02:54 . 2009-07-12 02:54   65536              c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   49152              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   61440              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   57344              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   65536              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   45056              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
      + 2009-07-12 02:32 . 2009-07-12 02:32   40960              c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
      + 2009-07-12 07:07 . 2009-07-12 07:07   57856              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
      + 2009-07-12 07:19 . 2009-07-12 07:19   69632              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
      + 2010-03-04 02:50 . 2010-03-04 02:50   16384              c:\windows\Temp\Perflib_Perfdata_19c.dat
      + 2010-02-24 05:52 . 2010-02-24 05:52   65024              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
      + 2010-02-24 05:52 . 2010-02-24 05:52   18944              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
      + 2010-02-24 05:52 . 2010-02-24 05:52   5120              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
      + 2009-07-12 07:12 . 2009-07-12 07:12   632656              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
      + 2009-07-12 07:09 . 2009-07-12 07:09   554832              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
      + 2009-07-12 07:08 . 2009-07-12 07:08   479232              c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
      + 2010-03-02 01:39 . 2009-12-17 23:14   153376              c:\windows\system32\javaws.exe
      + 2010-03-02 01:39 . 2009-12-17 23:14   145184              c:\windows\system32\javaw.exe
      + 2010-03-02 01:39 . 2009-12-17 23:14   145184              c:\windows\system32\java.exe
      + 2010-03-02 02:03 . 2010-03-02 02:03   180224              c:\windows\Installer\ec06f43.msi
      + 2010-02-27 02:39 . 2010-02-27 02:39   424448              c:\windows\Installer\a4bfe1e.msi
      + 2009-07-12 02:46 . 2009-07-12 02:46   1093120              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
      + 2009-07-12 02:46 . 2009-07-12 02:46   1105920              c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
      + 2010-02-24 05:52 . 2010-02-24 05:52   1583616              c:\windows\Installer\110e55fe.msi
      .
      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
      "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
      "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
      "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
      "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
      "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

      c:\documents and settings\All Users\Start Menu\Programs\Startup\
      WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2010-2-9 745472]

      [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
      "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
      "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
      2009-09-03 20:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
      2010-02-27 02:39   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

      [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
      path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
      backup=c:\windows\pss\LimeWire On Startup.lnkStartup

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzzHPSETUP]
      d:\setup.exe \RESET [X]

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
      2009-02-27 22:10   35696   ----a-w-   c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
      2009-02-11 13:35   801904   ------w-   c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
      2008-05-28 14:27   570664   ----a-w-   c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
      2008-03-06 22:19   236016   ----a-w-   c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
      2008-12-09 03:47   185872   ----a-w-   c:\program files\Common Files\Real\Update_OB\realsched.exe

      [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009]
      2008-08-26 16:48   2019624   ----a-w-   c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\system32\\sessmgr.exe"=
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
      "c:\\Program Files\\LimeWire\\LimeWire.exe"=
      "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
      "c:\\Program Files\\World of Warcraft Trial\\Launcher.exe"=
      "c:\\Program Files\\World of Warcraft Trial\\BackgroundDownloader.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
      "c:\\WINDOWS\\system32\\mmc.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
      "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

      R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/6/2008 9:15 PM 333192]
      R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/6/2008 9:15 PM 360584]
      R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
      R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]
      R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/26/2010 8:39 PM 906520]
      R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/26/2010 8:39 PM 285392]
      R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2/9/2010 3:09 PM 66048]
      R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/31/2009 5:44 PM 54752]
      R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]
      S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
      S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\71.tmp --> c:\windows\system32\71.tmp [?]
      S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [4/30/2009 1:14 AM 18688]
      S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [4/30/2009 1:14 AM 8320]
      S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/30/2009 1:14 AM 42112]
      S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2/9/2010 3:09 PM 167808]
      S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2/9/2010 3:09 PM 13532]
      .
      .
      ------- Supplementary Scan -------
      .
      uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
      uStart Page = www.google.com
      uInternet Connection Wizard,ShellNext = iexplore
      uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
      FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2c6h7mlf.default\
      FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
      FF - prefs.js: browser.search.selectedEngine - Google
      FF - prefs.js: browser.startup.homepage - www.google.com
      FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
      FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
      FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
      FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

      ---- FIREFOX POLICIES ----
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
      c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
      c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
      c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
      .
      - - - - ORPHANS REMOVED - - - -

      WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
      MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
      AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-03-03 21:10
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************

      Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

      device: opened successfully
      user: MBR read successfully
      called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x89BD18C8]<<
      kernel: MBR read successfully
      detected MBR rootkit hooks:
      \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
      \Driver\ACPI -> ACPI.sys @ 0xf75aecb8
      \Driver\atapi -> atapi.sys @ 0xf74c9b3a
      IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
       ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
      \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
       ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
      NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf744cbb0
       PacketIndicateHandler -> NDIS.sys @ 0xf7459a21
       SendHandler -> NDIS.sys @ 0xf743787b
      user & kernel MBR OK

      **************************************************************************

      [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
      "ImagePath"="\??\c:\windows\system32\71.tmp"
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(656)
      c:\program files\SUPERAntiSpyware\SASWINLO.dll
      c:\windows\system32\WININET.dll

      - - - - - - - > 'explorer.exe'(1648)
      c:\windows\system32\WININET.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\WPDShServiceObj.dll
      c:\windows\system32\PortableDeviceTypes.dll
      c:\windows\system32\PortableDeviceApi.dll
      .
      Completion time: 2010-03-03  21:12:52
      ComboFix-quarantined-files.txt  2010-03-04 03:12
      ComboFix2.txt  2010-02-24 05:50

      Pre-Run: 116,591,640,576 bytes free
      Post-Run: 117,029,257,216 bytes free

      - - End Of File - - A664204F0C1E8BB6A69F06331C74817C
      Logged

      evilfantasy

      • Malware Removal Specialist


        • Genius
      • Calm like a bomb
        • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: Browser redirects and possible rootkit
      « Reply #3 on: March 05, 2010, 11:39:02 AM »
      Download TDSSKiller and save it to your desktop.

      * Right click on the file and choose extract all extract the file to your desktop then run it.
      * Once completed it will create a log in your C:\ drive with a name similar to 'TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt'.
      * Please post the contents of that log.
      Logged

      Brant Farris

        Topic Starter


        Greenhorn

        Re: Browser redirects and possible rootkit
        « Reply #4 on: March 05, 2010, 03:37:05 PM »
        16:32:02:156 1120   TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
        16:32:02:156 1120   ================================================================================
        16:32:02:156 1120   SystemInfo:

        16:32:02:156 1120   OS Version: 5.1.2600 ServicePack: 3.0
        16:32:02:156 1120   Product type: Workstation
        16:32:02:156 1120   ComputerName: COMPUTER2400
        16:32:02:156 1120   UserName: Owner
        16:32:02:156 1120   Windows directory: C:\WINDOWS
        16:32:02:156 1120   Processor architecture: Intel x86
        16:32:02:156 1120   Number of processors: 1
        16:32:02:156 1120   Page size: 0x1000
        16:32:02:171 1120   Boot type: Normal boot
        16:32:02:171 1120   ================================================================================
        16:32:02:171 1120   UnloadDriverW: NtUnloadDriver error 2
        16:32:02:171 1120   ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
        16:32:02:203 1120   Initialize success
        16:32:02:218 1120   
        16:32:02:218 1120   Scanning   Services ...
        16:32:02:218 1120   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
        16:32:02:218 1120   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
        16:32:02:218 1120   wfopen_ex: Trying to KLMD file open
        16:32:02:218 1120   wfopen_ex: File opened ok (Flags 2)
        16:32:02:218 1120   wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
        16:32:02:218 1120   wfopen_ex: MyNtCreateFileW error 32 (C0000043)
        16:32:02:218 1120   wfopen_ex: Trying to KLMD file open
        16:32:02:218 1120   wfopen_ex: File opened ok (Flags 2)
        16:32:02:609 1120   GetAdvancedServicesInfo: Raw services enum returned 342 services
        16:32:02:609 1120   fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
        16:32:02:609 1120   fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
        16:32:02:609 1120   
        16:32:02:609 1120   Scanning   Kernel memory ...
        16:32:02:609 1120   Devices to scan: 2
        16:32:02:609 1120   
        16:32:02:609 1120   Driver Name: Disk
        16:32:02:609 1120   IRP_MJ_CREATE                      : F763DBB0
        16:32:02:609 1120   IRP_MJ_CREATE_NAMED_PIPE           : 804FA87E
        16:32:02:609 1120   IRP_MJ_CLOSE                       : F763DBB0
        16:32:02:609 1120   IRP_MJ_READ                        : F7637D1F
        16:32:02:609 1120   IRP_MJ_WRITE                       : F7637D1F
        16:32:02:609 1120   IRP_MJ_QUERY_INFORMATION           : 804FA87E
        16:32:02:609 1120   IRP_MJ_SET_INFORMATION             : 804FA87E
        16:32:02:609 1120   IRP_MJ_QUERY_EA                    : 804FA87E
        16:32:02:609 1120   IRP_MJ_SET_EA                      : 804FA87E
        16:32:02:609 1120   IRP_MJ_FLUSH_BUFFERS               : F76382E2
        16:32:02:609 1120   IRP_MJ_QUERY_VOLUME_INFORMATION    : 804FA87E
        16:32:02:609 1120   IRP_MJ_SET_VOLUME_INFORMATION      : 804FA87E
        16:32:02:609 1120   IRP_MJ_DIRECTORY_CONTROL           : 804FA87E
        16:32:02:609 1120   IRP_MJ_FILE_SYSTEM_CONTROL         : 804FA87E
        16:32:02:609 1120   IRP_MJ_DEVICE_CONTROL              : F76383BB
        16:32:02:609 1120   IRP_MJ_INTERNAL_DEVICE_CONTROL     : F763BF28
        16:32:02:609 1120   IRP_MJ_SHUTDOWN                    : F76382E2
        16:32:02:609 1120   IRP_MJ_LOCK_CONTROL                : 804FA87E
        16:32:02:609 1120   IRP_MJ_CLEANUP                     : 804FA87E
        16:32:02:609 1120   IRP_MJ_CREATE_MAILSLOT             : 804FA87E
        16:32:02:609 1120   IRP_MJ_QUERY_SECURITY              : 804FA87E
        16:32:02:609 1120   IRP_MJ_SET_SECURITY                : 804FA87E
        16:32:02:609 1120   IRP_MJ_POWER                       : F7639C82
        16:32:02:609 1120   IRP_MJ_SYSTEM_CONTROL              : F763E99E
        16:32:02:609 1120   IRP_MJ_DEVICE_CHANGE               : 804FA87E
        16:32:02:609 1120   IRP_MJ_QUERY_QUOTA                 : 804FA87E
        16:32:02:609 1120   IRP_MJ_SET_QUOTA                   : 804FA87E
        16:32:02:609 1120   TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
        16:32:02:609 1120   sion
        16:32:02:625 1120   C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
        16:32:02:625 1120   
        16:32:02:625 1120   Driver Name: atapi
        16:32:02:625 1120   IRP_MJ_CREATE                      : F74C9B3A
        16:32:02:625 1120   IRP_MJ_CREATE_NAMED_PIPE           : F74C9B3A
        16:32:02:625 1120   IRP_MJ_CLOSE                       : F74C9B3A
        16:32:02:625 1120   IRP_MJ_READ                        : F74C9B3A
        16:32:02:625 1120   IRP_MJ_WRITE                       : F74C9B3A
        16:32:02:625 1120   IRP_MJ_QUERY_INFORMATION           : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SET_INFORMATION             : F74C9B3A
        16:32:02:625 1120   IRP_MJ_QUERY_EA                    : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SET_EA                      : F74C9B3A
        16:32:02:625 1120   IRP_MJ_FLUSH_BUFFERS               : F74C9B3A
        16:32:02:625 1120   IRP_MJ_QUERY_VOLUME_INFORMATION    : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SET_VOLUME_INFORMATION      : F74C9B3A
        16:32:02:625 1120   IRP_MJ_DIRECTORY_CONTROL           : F74C9B3A
        16:32:02:625 1120   IRP_MJ_FILE_SYSTEM_CONTROL         : F74C9B3A
        16:32:02:625 1120   IRP_MJ_DEVICE_CONTROL              : F74C9B3A
        16:32:02:625 1120   IRP_MJ_INTERNAL_DEVICE_CONTROL     : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SHUTDOWN                    : F74C9B3A
        16:32:02:625 1120   IRP_MJ_LOCK_CONTROL                : F74C9B3A
        16:32:02:625 1120   IRP_MJ_CLEANUP                     : F74C9B3A
        16:32:02:625 1120   IRP_MJ_CREATE_MAILSLOT             : F74C9B3A
        16:32:02:625 1120   IRP_MJ_QUERY_SECURITY              : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SET_SECURITY                : F74C9B3A
        16:32:02:625 1120   IRP_MJ_POWER                       : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SYSTEM_CONTROL              : F74C9B3A
        16:32:02:625 1120   IRP_MJ_DEVICE_CHANGE               : F74C9B3A
        16:32:02:625 1120   IRP_MJ_QUERY_QUOTA                 : F74C9B3A
        16:32:02:625 1120   IRP_MJ_SET_QUOTA                   : F74C9B3A
        16:32:02:625 1120   TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
        16:32:02:625 1120   TDL3_IrpHookDetect: New IrpHandler addr: 89BD18C8
        16:32:02:625 1120   ihd: 10, FFDF0308, 510, 134, 3, 120, 0
        16:32:02:625 1120   Driver "atapi" Irp handler infected by TDSS rootkit ... 16:32:02:625 1120   cured
        16:32:02:625 1120   siohd: 0
        16:32:02:640 1120   C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
        16:32:02:640 1120   File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:32:02:640 1120   Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
        16:32:02:640 1120   ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
        16:32:02:734 1120   vfvi6
        16:32:02:875 1120   !dsvbh1
        16:32:03:625 1120   dsvbh2
        16:32:03:625 1120   fdfb2
        16:32:03:625 1120   Backup copy found, using it..
        16:32:03:671 1120   will be cured on next reboot
        16:32:03:671 1120   Reboot required for cure complete..
        16:32:03:671 1120   Cure on reboot scheduled successfully
        16:32:03:671 1120   
        16:32:03:671 1120   Completed
        16:32:03:671 1120   
        16:32:03:671 1120   Results:
        16:32:03:671 1120   Memory objects infected / cured / cured on reboot:   1 / 1 / 0
        16:32:03:671 1120   Registry objects infected / cured / cured on reboot:   0 / 0 / 0
        16:32:03:671 1120   File objects infected / cured / cured on reboot:   1 / 0 / 1
        16:32:03:671 1120   
        16:32:03:671 1120   UnloadDriverW: NtUnloadDriver error 1
        16:32:03:671 1120   KLMD_Unload: UnloadDriverW(klmd21) error 1
        16:32:03:687 1120   KLMD(ARK) unloaded successfully
        Logged

        evilfantasy

        • Malware Removal Specialist


          • Genius
        • Calm like a bomb
          • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: Browser redirects and possible rootkit
        « Reply #5 on: March 05, 2010, 03:44:14 PM »
        Download the latest version of Kaspersky GetSystemInfo (GSI) and save it to your desktop.

        * Close all other applications running on your system.
        * Double click GetSystemInfo.exe to open it.
        * Click the Settings button.
        * Set it to Maximum
        * IMPORTANT! Click Customize - choose Driver / Ports tab and
        * Uncheck Scan Ports.
        * Click Create Report to run it.
        * It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your desktop.

        * Upload the zip folder to the Kaspersky GetSystemInfo (GSI) and click the Submit button.

        Copy and paste the URL (link in the address bar) of the GSI Parser report (not the log) in  your next reply.
        Logged

        Brant Farris

          Topic Starter


          Greenhorn

          Re: Browser redirects and possible rootkit
          « Reply #6 on: March 05, 2010, 09:57:55 PM »
          Logged

          evilfantasy

          • Malware Removal Specialist


            • Genius
          • Calm like a bomb
            • Thanked: 493
          • Experience: Experienced
          • OS: Windows 11
          Re: Browser redirects and possible rootkit
          « Reply #7 on: March 06, 2010, 07:30:45 AM »
          Looks okay.

          How is the computer running now?
          Logged

          Brant Farris

            Topic Starter


            Greenhorn

            Re: Browser redirects and possible rootkit
            « Reply #8 on: March 08, 2010, 07:58:03 PM »
            Much better, I appreciate the help more than you know.  I will definitely recommend this site to others.  Thanks so much.
            Logged

            evilfantasy

            • Malware Removal Specialist


              • Genius
            • Calm like a bomb
              • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: Browser redirects and possible rootkit
            « Reply #9 on: March 08, 2010, 09:55:38 PM »
            Your welcome.


            Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done.

            * Click START then RUN
            * Now type Combofix /Uninstall in the runbox
            * Make sure there's a space between Combofix and /Uninstall
            * Then hit Enter.

            The above procedure will:
            * Delete: ComboFix and its associated files and folders.
            * Reset the clock settings.
            * Hide file extensions, if required.
            * Hide System/Hidden files, if required.
            * Set a new, clean Restore Point.

            ----------

            Clean out your temporary internet files and temp files.

            Download TFC by OldTimer to your desktop.

            Double-click TFC.exe to run it.

            Note: If you are running on Vista, right-click on the file and choose Run As Administrator

            TFC will close all programs when run, so make sure you have saved all your work before you begin.

            * Click the Start button to begin the cleaning process.
            * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
            * Please let TFC run uninterrupted until it is finished.

            Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

            ----------

            Use the Secunia Software Inspector to check for out of date software.

            * Click Start Scanner
            * Check the box next to Enable thorough system inspection.
            * Click Start
            * Allow the scan to finish and scroll down to see if any updates are needed.
            * Update anything listed.

            ----------

            Go to Microsoft Windows Update and get all critical updates.

            ----------

            If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page.

            ----------

            I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan.

            I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

            SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
            * Using SpywareBlaster to protect your computer from Spyware and Malware
            * If you don't know what ActiveX controls are, see here

            Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy.
            * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

            Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

            Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

            Logged
            Pages: [1]   Go Up
            « previous next »