TechSpot

Chrome and IE search page links redirect

By snoobler
Feb 26, 2011
  1. This started a couple days ago with both IE and Chrome. Searching at Google, lycos, altavista, etc. produces a series of relevant links; however, when clicked I am redirected to random sites for cheap airfare, etc. I can usually get a successful link click ONCE after a reboot.

    Clicking the search button on Wikipedia results in an immediate redirect.

    Redirects seem to involve a delay of several seconds vs. opening a typed page almost immediately.

    LInks on techspot pages leading to software downloads are not redirected.

    Prior to this post I tried troubleshooting myself which included running Hijackthis, Avast, MBAM, superantispyware and combofix. It seemed to run successfully, but the issue remained. I punted and did a system restore back to 2/24 and am deferring to the experts here. All logs supplied are POST restore, so my previous efforts have hopefully been wiped out, and you are starting fresh.

    Lastly, seeing that another user suffered from a router hijack, I checked my DNS, and they are as expected from my IPC. Additionally, of the five computers serviced by the router, the issue exists on only the one.

    Step 1: Avast Home 6.0.1000 with 110226-0 definitions indicated no infections.

    Step 2: TFC completed normally.

    Step 3: MBAM indicates no infections:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5884

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    2/26/2011 10:06:23 AM
    mbam-log-2011-02-26 (10-06-23).txt

    Scan type: Quick scan
    Objects scanned: 203916
    Time elapsed: 3 minute(s), 37 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Step 4: GMER log:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-26 10:11:22
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 WDC_WD5000AAKB-00H8A0 rev.05.04E05
    Running: l96qigpz.exe; Driver: h:\temp\uxtdypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAB8AC026]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAB8ABE91]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAB9418DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdePort0 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\atapi \Device\Ide\IdePort1 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
    Device \Driver\viamraid \Device\Scsi\viamraid1 8A5CDE30
    Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target2Lun0 8A5CDE30
    Device \Driver\dtscsi \Device\Scsi\dtscsi1 89F5D6F8
    Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 89F5D6F8
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Ntfs \Ntfs 8A5CD8C0

    AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
    Device \FileSystem\Fastfat \Fat 8A1330E8

    AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----

    Step 5: DDS (NOTE that dds.scr would simply open in notepad. I appended ".exe", and it ran normally

    DDS.TXT:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Steve at 10:14:33.29 on Sat 02/26/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1365 [GMT -7:00]

    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    H:\WINDOWS\system32\Ati2evxx.exe
    H:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    H:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    H:\WINDOWS\system32\spoolsv.exe
    H:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    I:\Program Files\Java\jre6\bin\jqs.exe
    H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
    H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    H:\WINDOWS\System32\svchost.exe -k imgsvc
    H:\Program Files\UGS\UGSLicensing\lmgrd.exe
    H:\Program Files\VIA\RAID\vialogsv.exe
    H:\Program Files\UGS\UGSLicensing\lmgrd.exe
    H:\WINDOWS\Explorer.EXE
    H:\Program Files\UGS\UGSLicensing\ugslmd.exe
    H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
    H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    H:\Program Files\VIA\RAID\raid_tool.exe
    H:\Program Files\Alwil Software\Avast5\avastUI.exe
    H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    H:\WINDOWS\system32\ctfmon.exe
    H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    H:\WINDOWS\System32\svchost.exe -k HTTPFilter
    H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    H:\WINDOWS\system32\wscntfy.exe
    H:\WINDOWS\system32\rundll32.exe
    H:\WINDOWS\system32\mmc.exe
    H:\Documents and Settings\Deb\Desktop\dds.scr.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = iexplore
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
    uRun: [H/PC Connection Agent] "h:\program files\microsoft activesync\WCESCOMM.EXE"
    uRun: [PeerBlock] h:\program files\peerblock\peerblock.exe
    uRun: [SUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [Google Update] "h:\documents and settings\deb\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [EVEMon] "i:\program files\evemon\EVEMon.exe" -startMinimized
    uRun: [Skype] "h:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [VIARaidUtl] h:\program files\via\raid\raid_tool.exe
    mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avast!] h:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [AMD_Display] h:\program files\amd\amd power monitor\AMD_PwrMon.exe
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [StartCCC] "h:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [avast] "h:\program files\alwil software\avast5\avastUI.exe" /nogui
    StartupFolder: h:\docume~1\alluse~1.win\startm~1\programs\startup\timexd~1.lnk - h:\program files\timex\data link usb\DataLinkLauncher.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
    Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - h:\program files\microsoft activesync\aatp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
    Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
    Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
    WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
    WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
    WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
    WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
    WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
    WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
    Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - e:\program files\qualcomm\eudora\EuShlExt.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    Hosts: 127.0.0.1 www.avast.com
    Hosts: 127.0.0.1 www.avg.com
    Hosts: 127.0.0.1 www.bitdefender.com
    Hosts: 127.0.0.1 www.eset.com
    Hosts: 127.0.0.1 www.f-secure.com

    Note: multiple HOSTS entries found. Please refer to Attach.txt

    ============= SERVICES / DRIVERS ===============

    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-2-26 371544]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-8-2 301528]
    R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-8-2 19544]
    R2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast5\AvastSvc.exe [2010-8-2 42184]
    R2 MotoConnect Service;MotoConnect Service;h:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-27 91392]
    R2 RUBotted;Trend Micro RUBotted Service;h:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-24 582992]
    R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\ugs\ugslicensing\lmgrd.exe [2008-4-22 1372160]
    R2 VRAID Log Service;VRAID Log Service;h:\program files\via\raid\vialogsv.exe [2009-5-20 52888]
    R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [2009-5-20 34304]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [2009-5-20 38656]
    R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
    S2 TTDec;ATI WDM Teletext Decoder;h:\windows\system32\drivers\atinttxx.sys --> h:\windows\system32\drivers\ATINTTXX.sys [?]
    S3 Amazon Download Agent;Amazon Download Agent;h:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-4-12 319488]
    S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [2010-6-27 25856]
    S3 cpuz132;cpuz132;h:\windows\system32\drivers\cpuz132_x32.sys [2009-6-16 12672]
    S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [2010-8-15 13192]
    S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [2010-8-15 8456]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [2007-12-28 46080]
    S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [2010-6-27 42752]
    S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== File Associations ===============

    .scr=AutoCADScriptFile

    =============== Created Last 30 ================

    2099-07-09 05:22:02 -------- d-----w- h:\program files\common files\Insight Software Solutions
    2099-07-09 05:22:01 -------- d-----w- h:\program files\Macro Express3
    2020-11-03 13:37:15 -------- d-----w- h:\program files\SlySoft
    2011-02-26 17:14:32 98816 ----a-w- h:\temp\3a.tmp\SED.DAT
    2011-02-26 17:14:32 89088 ----a-w- h:\temp\3a.tmp\MBR.DAT
    2011-02-26 17:14:32 518144 ----a-w- h:\temp\3a.tmp\SWREG.DAT
    2011-02-26 17:14:32 256512 ----a-w- h:\temp\3a.tmp\PEV.DAT
    2011-02-26 16:59:17 355056 ----a-w- h:\temp\SSUPDATE.EXE
    2011-02-26 16:14:51 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\repository\FS
    2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\Repository
    2011-02-26 15:50:25 -------- d-----w- h:\program files\EVE Metrics Uploader
    2011-02-26 15:50:19 -------- d-sh--w- H:\$RECYCLE.BIN
    2011-02-25 04:37:44 -------- d-----w- h:\docume~1\deb\applic~1\Malwarebytes
    2011-02-25 04:26:34 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-25 04:26:32 -------- d-----w- h:\docume~1\alluse~1.win\applic~1\Malwarebytes
    2011-02-25 04:26:28 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
    2011-02-25 04:26:28 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
    2011-02-18 07:02:21 -------- d-----w- H:\AutoCad
    2011-02-10 01:10:54 1716297 ----a-w- h:\windows\system32\InetClnt.dll
    2011-01-31 04:58:00 -------- d-----w- h:\program files\Rhinoceros 4.0

    ==================== Find3M ====================

    2011-02-23 15:04:21 40648 ----a-w- h:\windows\avastSS.scr
    2011-01-21 14:44:37 439296 ----a-w- h:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- h:\windows\system32\atmfd.dll
    2011-01-05 03:13:02 57344 ----a-w- h:\windows\system32\aticalrt.dll
    2011-01-05 03:12:52 53248 ----a-w- h:\windows\system32\aticalcl.dll
    2011-01-05 03:11:42 4489216 ----a-w- h:\windows\system32\aticaldd.dll
    2011-01-05 03:11:14 17084416 ----a-w- h:\windows\system32\atioglxx.dll
    2011-01-05 03:00:30 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
    2011-01-05 02:59:24 302080 ----a-w- h:\windows\system32\ati2dvag.dll
    2011-01-05 02:53:36 311296 ----a-w- h:\windows\system32\atiiiexx.dll
    2011-01-05 02:53:16 4021984 ----a-w- h:\windows\system32\ati3duag.dll
    2011-01-05 02:46:12 1112576 ----a-w- h:\windows\system32\ativvamv.dll
    2011-01-05 02:39:46 212992 ----a-w- h:\windows\system32\atipdlxx.dll
    2011-01-05 02:39:32 155648 ----a-w- h:\windows\system32\Oemdspif.dll
    2011-01-05 02:39:22 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
    2011-01-05 02:39:14 43520 ----a-w- h:\windows\system32\ati2edxx.dll
    2011-01-05 02:39:02 188416 ----a-w- h:\windows\system32\ati2evxx.dll
    2011-01-05 02:37:32 638976 ----a-w- h:\windows\system32\ati2evxx.exe
    2011-01-05 02:36:54 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
    2011-01-05 02:36:00 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
    2011-01-05 02:35:12 143360 ----a-w- h:\windows\system32\atiapfxx.exe
    2011-01-05 02:31:10 651264 ----a-w- h:\windows\system32\atikvmag.dll
    2011-01-05 02:29:18 196608 ----a-w- h:\windows\system32\atiadlxx.dll
    2011-01-05 02:28:52 17408 ----a-w- h:\windows\system32\atitvo32.dll
    2011-01-05 02:28:18 471040 ----a-w- h:\windows\system32\atiok3x2.dll
    2011-01-05 02:22:50 851968 ----a-w- h:\windows\system32\ati2cqag.dll
    2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\atimpc32.dll
    2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\amdpcom32.dll
    2010-12-31 13:10:33 1854976 ----a-w- h:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- h:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- h:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- h:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- h:\windows\system32\html.iec
    2010-12-09 15:15:09 718336 ----a-w- h:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- h:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2010-12-07 19:14:06 51200 ----a-w- h:\windows\system32\OpenCL.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe >>UNKNOWN [0x8A5CDB78]<<
    _asm { MOV EAX, 0x8a5cda98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a5d0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A51F670]
    \Driver\Disk[0x8A537A08] -> IRP_MJ_CREATE -> 0x8A5CDB78
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    detected hooks:
    \Driver\Disk -> 0x8a5cdb78
    user & kernel MBR OK
    Warning: possible MBR rootkit infection !

    ============= FINISH: 10:15:35.23 ===============

    ATTACH.EXE


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/28/2008 9:10:16 PM
    System Uptime: 2/26/2011 9:56:59 AM (1 hours ago)

    Motherboard: ASUSTeK Computer INC. | | M2V-X
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | SOCKET AM2 | 2999/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (FAT32) - 60 GiB total, 11.498 GiB free.
    D: is FIXED (NTFS) - 20 GiB total, 7.445 GiB free.
    E: is FIXED (NTFS) - 20 GiB total, 15.776 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    H: is FIXED (NTFS) - 360 GiB total, 188.616 GiB free.
    I: is FIXED (NTFS) - 26 GiB total, 15.648 GiB free.
    J: is CDROM ()
    M: is FIXED (NTFS) - 213 GiB total, 14.871 GiB free.
    P: is FIXED (NTFS) - 149 GiB total, 0.368 GiB free.
    T: is NetworkDisk (NTFS) - 292 GiB total, 43.171 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description:
    Device ID: ACPI\AWY0001\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
    Service:

    ==== System Restore Points ===================

    RP1: 2/24/2011 9:43:15 PM - System Checkpoint
    RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis
    RP3: 2/26/2011 8:34:02 AM - Restore Operation
    RP4: 2/26/2011 8:48:57 AM - Restore Operation

    ==== Hosts File Hijack ======================

    Hosts: 127.0.0.1 www.avast.com
    Hosts: 127.0.0.1 www.avg.com
    Hosts: 127.0.0.1 www.bitdefender.com
    Hosts: 127.0.0.1 www.eset.com
    Hosts: 127.0.0.1 www.f-secure.com
    Hosts: 127.0.0.1 www.grisoft.com
    Hosts: 127.0.0.1 www.kaspersky.com
    Hosts: 127.0.0.1 www.mcafee.com
    Hosts: 127.0.0.1 www.microsoft.com
    Hosts: 127.0.0.1 www.pandasecurity.com
    Hosts: 127.0.0.1 www.sophos.com
    Hosts: 127.0.0.1 www.symantec.com
    Hosts: 127.0.0.1 www.trendmicro.com
    Hosts: 127.0.0.1 www.viruslist.com
    Hosts: 127.0.0.1 www.virustotal.com

    ==== Installed Programs ======================


    µTorrent
    7-Zip 4.65
    AC-3 ACM Codec
    Acronis*True*Image*WD*Edition
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.6
    Amazon Games & Software Downloader
    AMD CPUInfo
    AMD Power Monitor
    AMD Processor Driver
    Apple Software Update
    ASUS Wireless Router WL-520GC Utilities
    ASUSUpdate
    ATI Catalyst Install Manager
    ATI Stream SDK v2 Developer
    Attansic Giga Ethernet Utility
    Attansic L1 Gigabit Ethernet Driver
    Auto Gordian Knot 2.55
    AutoCAD 2002
    AutoHotkey 1.0.48.03
    AutoUpdate
    avast! Free Antivirus
    AviSynth 2.5
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    BitPim 1.0.7
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    ccc-core-static
    ccc-utility
    CCC Help English
    CCleaner
    CloneDVD2
    Combined Community Codec Pack 2008-09-21 16:18
    Compatibility Pack for the 2007 Office system
    Contribtastic 2.0-alpha
    Cool & Quiet
    CPUID HWMonitor 1.15
    DAO
    Data Lifeguard Diagnostic for Windows
    Data Lifeguard Tools
    Defraggler
    DIKO 2.47
    DivX
    Download Accelerator Plus (DAP)
    Driver Sweeper 1.5.5
    Dual-Core Optimizer
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVDFab 6.2.1.8 (31/12/2009)
    DVDFab 7.0.9.3 (08/08/2010)
    DVDFab 8.0.3.2 (30/10/2010)
    DWGeditor
    EASEUS Partition Master 6.1.1 Home Edition
    eDrawings 2006
    EVE Metrics Uploader
    EVE Online (remove only)
    EveHQ
    EVEMon
    ffdshow [rev 3154] [2009-12-09]
    Fomine WinPopup 1.5
    Free Video to iPod Converter version 3.1
    FreeRIP v3.30
    Google Chrome
    Google Earth
    Google Update Helper
    H-BOT EVE-Pilot
    HandBrake 0.9.5
    HiJackThis
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP USB Disk Storage Format Tool
    IrfanView (remove only)
    IsoBuster 2.3
    Java(TM) 6 Update 17
    LimeWire 5.5.8
    Logitech QuickCam for Enterprise
    Logitech QuickCam for Enterprise Driver Package
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft ActiveSync 3.7
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office 2000 Premium
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 8.0 Support DLLs
    Motorola Driver Installation 4.2.0
    MP3 Tester Demo
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero - Burning Rom
    NVTweak
    PC Probe II
    PDFCreator
    PeerBlock 1.1 (r518)
    Platform
    PowerDVD
    QuickTime
    RAD Video Tools
    Realtek High Definition Audio Driver
    Recuva
    Rhinoceros 3.0
    Rhinoceros 3.0 SR3c
    Rhinoceros 4.0 SR6
    Rhinoceros 4.0 SR8
    RSDLite
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    sentinelsystemdriver
    SightSpeed
    Skype Toolbars
    Skype™ 5.0
    SolidWorks 2006 SP0
    SolidWorks eDrawings 2011
    Speccy
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    SUPERAntiSpyware
    System Requirements Lab
    The Lord of the Rings FREE Trial
    thinkorswim
    thinkorswim from TD AMERITRADE
    Timex Data Link USB
    Trend Micro RUBotted
    TurboTax 2008
    TurboTax 2008 waziper
    TurboTax 2008 WinPerFedFormset
    TurboTax 2008 WinPerProgramHelp
    TurboTax 2008 WinPerReleaseEngine
    TurboTax 2008 WinPerTaxSupport
    TurboTax 2008 WinPerUserEducation
    TurboTax 2008 wrapper
    TurboTax 2009
    TurboTax 2009 waziper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    Tweakui Powertoy for Windows XP
    UGS NX 6.0
    UGSLicensing
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Ventrilo Client
    VIA Platform Device Manager
    Videora iPod Converter 5.04
    VNC Free Edition 4.1.2
    VobSub v2.23 (Remove Only)
    WebFldrs XP
    Wii Video 9 6
    Winamp
    Winamp Detector Plug-in
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 9 Series TweakMP PowerToy
    Windows Support Tools
    WinFF 1.1
    WinRAR archiver
    WinZip
    XviD MPEG4 Video Codec (remove only)
    YouTube Downloader App 3.00

    ==== Event Viewer Messages From Past Week ========

    2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The UGS License Server (ugslmd) service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:03 AM, error: Service Control Manager [7031] - The MotoConnect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
    2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 8:59:46 AM, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
    2/26/2011 8:48:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi ElbyCDIO Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip V2IMount
    2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    2/25/2011 7:58:18 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
    2/25/2011 7:15:43 AM, error: Service Control Manager [7034] - The VRAID Log Service service terminated unexpectedly. It has done this 1 time(s).
    2/25/2011 12:53:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp1 ViaIde
    2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The Specialized PCD WDM VBI Codec service failed to start due to the following error: The system cannot find the file specified.
    2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI WDM Teletext Decoder service failed to start due to the following error: The system cannot find the file specified.
    2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Crossbar service failed to start due to the following error: The system cannot find the file specified.
    2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder TV Tuner service failed to start due to the following error: The system cannot find the file specified.
    2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Audio Crossbar service failed to start due to the following error: The system cannot find the file specified.
    2/25/2011 1:23:23 AM, error: Service Control Manager [7001] - The Network DDE service depends on the Network DDE DSDM service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    2/25/2011 1:23:23 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Capture service failed to start due to the following error: The system cannot find the file specified.
    2/24/2011 9:04:54 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    2/24/2011 2:41:59 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
    2/22/2011 6:00:59 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
    2/21/2011 4:26:00 PM, error: TermServDevices [1111] - Driver hp LaserJet 3015 PCL 6 required for printer !!FRONTDESK!hp LaserJet 3015 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
    2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver HP Designjet 500PS 24 by HP required for printer HP 500 is unknown. Contact the administrator to install the driver before you log in again.
    2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series (FAX) required for printer FAX (Canon) is unknown. Contact the administrator to install the driver before you log in again.
    2/21/2011 4:25:50 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series required for printer Canon Laser is unknown. Contact the administrator to install the driver before you log in again.

    ==== End Of File ===========================
     
  2. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    reply for instant notification test ... please ignore
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    [​IMG]
    (Image courtesy animationplayhouse.com)

    Welcome to TechSpot! I'll be glad to help with the redirect problem. Thank you for giving such a good description of the problem as well as noting these are new logs! This helps me help you. It appears that you may have a rootkit on the MBR, so we will start with that:

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A small window should open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

    I will finish checking these logs while you run that scan. I may have you do a a DNS Flush on the one system- but don't do it yet.
    Important!
    Now that I have these new logs, please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    EDIT: In my haste to supply the information, I failed to thank you for your prompt response, so THANKS! MBRCheck completed without indicating any problems on-screen.

    ----------------
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x000893fd

    Kernel Drivers (total 151):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9ED6000 sptd.sys
    0xBA5AA000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xB9EBE000 \WINDOWS\System32\Drivers\SPTD2797.SYS
    0xB9E90000 ACPI.sys
    0xB9E7F000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\System32\DRIVERS\BATTC.SYS
    0xBA5AC000 viaide.sys
    0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xBA0B8000 MountMgr.sys
    0xB9E60000 ftdisk.sys
    0xBA5AE000 dmload.sys
    0xB9E3A000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA338000 videX32.sys
    0xBA0C8000 VolSnap.sys
    0xB9E22000 atapi.sys
    0xB9E05000 viamraid.sys
    0xB9DED000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xB9DCD000 fltmgr.sys
    0xB9DBB000 sr.sys
    0xBA0F8000 PxHelp20.sys
    0xB9DA5000 SymSnap.sys
    0xB9D8E000 KSecDD.sys
    0xB9D01000 Ntfs.sys
    0xB9CD4000 NDIS.sys
    0xB9C69000 timntr.sys
    0xBA340000 viaagp1.sys
    0xB9C10000 tdrpman.sys
    0xB9BF1000 snapman.sys
    0xB9BD7000 Mup.sys
    0xB89AA000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xB83E3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB83CF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB83A7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xBA148000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xBA158000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB8384000 \SystemRoot\System32\DRIVERS\ks.sys
    0xBA168000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xBA408000 \SystemRoot\System32\DRIVERS\usbuhci.sys
    0xB8360000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xBA5D4000 \SystemRoot\System32\Drivers\vulfnth.sys
    0xBA410000 \SystemRoot\System32\DRIVERS\usbehci.sys
    0xBA418000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xB834C000 \SystemRoot\System32\DRIVERS\parport.sys
    0xBA5D6000 \SystemRoot\system32\DRIVERS\ASACPI.sys
    0xBA178000 \SystemRoot\System32\DRIVERS\serial.sys
    0xB9A9B000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xBA188000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xBA420000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xBA428000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xB8302000 \SystemRoot\System32\Drivers\dtscsi.sys
    0xBA764000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xBA1E8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xB9A8F000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB8290000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xBA1F8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xBA208000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xBA438000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB827F000 \SystemRoot\System32\DRIVERS\psched.sys
    0xBA218000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xBA440000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xBA448000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xBA228000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xB824F000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xBA238000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xBA5EC000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB81C9000 \SystemRoot\System32\DRIVERS\update.sys
    0xB9A73000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xBA248000 \SystemRoot\system32\DRIVERS\AmdLLD.sys
    0xBA258000 \SystemRoot\system32\DRIVERS\AmdTools.sys
    0xB8198000 \SystemRoot\system32\DRIVERS\TMPassthru.sys
    0xBA268000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAC134000 \SystemRoot\system32\drivers\AtiHdmi.sys
    0xAC110000 \SystemRoot\system32\drivers\portcls.sys
    0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
    0xABCA4000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB9AA7000 \SystemRoot\System32\Drivers\vulfntr.sys
    0xBA2C8000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xBA5FC000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xBA460000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6AB000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA470000 \SystemRoot\System32\drivers\vga.sys
    0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA478000 \SystemRoot\System32\DRIVERS\usbprint.sys
    0xBA480000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA488000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB823F000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xABBE1000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xABB88000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xBA2E8000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xABAC2000 \SystemRoot\System32\DRIVERS\ipnat.sys
    0xABA9A000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xBA2F8000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xBA490000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xABA78000 \SystemRoot\System32\drivers\afd.sys
    0xBA308000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xBA138000 \SystemRoot\System32\Drivers\V2IMount.SYS
    0xABA06000 \??\H:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xBA498000 \??\H:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xAB9DB000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xAB96B000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB8A2A000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB8A1A000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
    0xAB923000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xAB8FF000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xAB879000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xBA606000 \SystemRoot\system32\drivers\AsIO.sys
    0xBA4A8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xABA4C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA4B0000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA78A000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF060000 \SystemRoot\System32\ati2cqag.dll
    0xBF130000 \SystemRoot\System32\atikvmag.dll
    0xBF1DF000 \SystemRoot\System32\atiok3x2.dll
    0xBF256000 \SystemRoot\System32\ati3duag.dll
    0xBF9C5000 \SystemRoot\System32\ativvaxx.dll
    0xBF62C000 \SystemRoot\System32\ATMFD.DLL
    0xA8D5A000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xABB48000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
    0xA8D06000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xA8B83000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA8886000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xBA66C000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xA884C000 \SystemRoot\System32\Drivers\SENTINEL.SYS
    0xA88F3000 \SystemRoot\System32\Drivers\Aspi32.SYS
    0xA86DC000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA8963000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA84BF000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA87DC000 \SystemRoot\system32\drivers\sysaudio.sys
    0xBA3B0000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xA7E88000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xA7D7F000 \SystemRoot\System32\Drivers\HTTP.sys
    0xA8C62000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
    0xA75C2000 \??\h:\temp\uxtdypod.sys
    0xA7768000 \SystemRoot\system32\DRIVERS\atl01_xp.sys
    0xBA3F0000 \??\h:\temp\mbr.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 54):
    0 System Idle Process
    4 System
    1380 H:\WINDOWS\system32\smss.exe
    1436 csrss.exe
    1468 H:\WINDOWS\system32\winlogon.exe
    1528 H:\WINDOWS\system32\services.exe
    1540 H:\WINDOWS\system32\lsass.exe
    1732 H:\WINDOWS\system32\ati2evxx.exe
    1748 H:\WINDOWS\system32\svchost.exe
    1812 svchost.exe
    1932 H:\WINDOWS\system32\svchost.exe
    552 svchost.exe
    644 H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1036 H:\WINDOWS\system32\spoolsv.exe
    1180 H:\WINDOWS\system32\ati2evxx.exe
    1776 svchost.exe
    1908 H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    2052 H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    2132 I:\Program Files\Java\jre6\bin\jqs.exe
    2172 H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    2280 H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
    2340 H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
    2528 H:\WINDOWS\system32\svchost.exe
    2552 H:\Program Files\UGS\UGSLicensing\lmgrd.exe
    2604 wdfmgr.exe
    2624 H:\Program Files\VIA\RAID\vialogsv.exe
    2648 H:\Program Files\UGS\UGSLicensing\lmgrd.exe
    2908 H:\WINDOWS\explorer.exe
    3004 H:\Program Files\UGS\UGSLicensing\ugslmd.exe
    3264 H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
    3556 wmiprvse.exe
    3652 H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    3748 alg.exe
    976 H:\Program Files\VIA\RAID\raid_tool.exe
    2216 H:\Program Files\Alwil Software\Avast5\AvastUI.exe
    2224 H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    2244 H:\WINDOWS\system32\ctfmon.exe
    2412 H:\Program Files\Microsoft ActiveSync\wcescomm.exe
    3452 H:\WINDOWS\system32\svchost.exe
    1348 H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    5848 H:\WINDOWS\system32\mmc.exe
    4224 H:\WINDOWS\system32\cmd.exe
    2828 H:\WINDOWS\system32\ping.exe
    2736 svchost.exe
    2152 H:\WINDOWS\system32\wscntfy.exe
    3036 H:\WINDOWS\notepad.exe
    3040 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    4884 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    1112 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    4832 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    4216 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    916 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    2872 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    588 H:\Documents and Settings\Deb\Desktop\MBRCheck .exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000000f`003f3000 (NTFS)
    \\.\H: --> \\.\PhysicalDrive0 at offset 0x00000014`00541600 (NTFS)
    \\.\I: --> \\.\PhysicalDrive0 at offset 0x0000006e`00d13e00 (NTFS)
    \\.\M: --> \\.\PhysicalDrive1 at offset 0x00000004`e22d6a00 (NTFS)
    \\.\P: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05
    PhysicalDrive1 Model Number: WDCWD2500JB-00REA0, Rev: 20.00K20
    PhysicalDrive2 Model Number: VIASATA RAID 1, Rev:

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    232 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    149 GB \\.\PhysicalDrive2 Legit MBR code detected
    SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495


    Done!
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You can then go ahead and run the online Eset virus scan. Let's see if it finds the Win32/Fruspam.E (AKA W32.Ackantta@mm (Symantec), Mal/CryptBox-A (Sophos) Worm that has hijacked the Host files:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  6. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Avast shields disabled until next boot.

    As I prefer Chrome (IE/Flash on this machine tend to be very unstable and crash prone - the primary reason for the use of Chrome on this machine), I downloaded the "esetsmartinstaller_enu.exe" file to my desktop and ran it with the options you indicated; however, as it's scanning all drives in the system, it may take a few hours.

    Upon completion, I will send the output of ESET.

    In the interim, I'm suppling the following information below. I hope this doesn't violate the "no extra scanning/cleaning" guidelines you give in your first post, but since I'm making no changes, I don't believe I violated that.

    I don't know if it's relevant, but I did check my hosts file and found it odd that there were so many entries; however, that may have been from a previous infection as the creation date of the hosts file is 3/28/08 with a modified of 4/14/08.

    I didn't see it posted in the logs supplied thus far, but if relevant, this is the contents of the hosts file in its entirety:

    127.0.0.1 localhost
    127.0.0.1 82.165.237.14
    127.0.0.1 82.165.250.33
    127.0.0.1 akamai.avg.com
    127.0.0.1 antivir.es
    127.0.0.1 anti-virus.by
    127.0.0.1 avast.com
    127.0.0.1 avg.com
    127.0.0.1 avp.com
    127.0.0.1 avp.ru
    127.0.0.1 avp.ru/download/
    127.0.0.1 avpg.crsi.symantec.com
    127.0.0.1 backup.avg.cz
    127.0.0.1 bancoguayaquil.com
    127.0.0.1 bcpzonasegura.viabcp.com
    127.0.0.1 bitdefender.com
    127.0.0.1 clamav.net
    127.0.0.1 comodo.com
    127.0.0.1 customer.symantec.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 download.microsoft.com
    127.0.0.1 downloads.microsoft.com
    127.0.0.1 downloads1.kaspersky-labs.com
    127.0.0.1 downloads1.kaspersky-labs.com/products/
    127.0.0.1 downloads1.kaspersky-labs.com/updates/
    127.0.0.1 downloads2.kaspersky-labs.com
    127.0.0.1 downloads2.kaspersky-labs.com/products/
    127.0.0.1 downloads2.kaspersky-labs.com/updates/
    127.0.0.1 downloads3.kaspersky-labs.com
    127.0.0.1 downloads3.kaspersky-labs.com/products/
    127.0.0.1 downloads3.kaspersky-labs.com/updates/
    127.0.0.1 downloads4.kaspersky-labs.com
    127.0.0.1 downloads4.kaspersky-labs.com/products/
    127.0.0.1 downloads4.kaspersky-labs.com/updates/
    127.0.0.1 downloads5.kaspersky-labs.com
    127.0.0.1 downloads5.kaspersky-labs.com/products/
    127.0.0.1 downloads5.kaspersky-labs.com/updates/
    127.0.0.1 drweb.com
    127.0.0.1 emsisoft.com
    127.0.0.1 eset.com
    127.0.0.1 eset.com/
    127.0.0.1 eset.com/download/index.php
    127.0.0.1 eset.com/joomla/
    127.0.0.1 eset.com/products/index.php
    127.0.0.1 eset.es
    127.0.0.1 fortinet.com
    127.0.0.1 f-prot.com
    127.0.0.1 f-secure.com
    127.0.0.1 gdata.es
    127.0.0.1 go.microsoft.com
    127.0.0.1 hacksoft.com.pe
    127.0.0.1 ikarus.at
    127.0.0.1 kaspersky.com
    127.0.0.1 kaspersky.ru
    127.0.0.1 kaspersky-labs.com
    127.0.0.1 liveupdate.symantec.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 macafee.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 microsoft.com
    127.0.0.1 msdn.microsoft.com
    127.0.0.1 my-etrust.com
    127.0.0.1 networkassociates.com
    127.0.0.1 nod32.com
    127.0.0.1 norman.com
    127.0.0.1 norton.com
    127.0.0.1 nprotect.com
    127.0.0.1 pandasecurity.com
    127.0.0.1 pandasoftware.com
    127.0.0.1 pctools.com
    127.0.0.1 pif.symantec.com
    127.0.0.1 pifmain.symantec.com
    127.0.0.1 rads.mcafee.com
    127.0.0.1 rising-global.com
    127.0.0.1 scanner.novirusthanks.org
    127.0.0.1 secure.nai.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 service1.symantec.com
    127.0.0.1 sophos.com
    127.0.0.1 sunbeltsoftware.com
    127.0.0.1 support.microsoft.com
    127.0.0.1 symantec.com
    127.0.0.1 symantec.com/updates
    127.0.0.1 threatexpert.com
    127.0.0.1 trendmicro.com
    127.0.0.1 u2.eset.com
    127.0.0.1 u20.eset.com
    127.0.0.1 u3.eset.com
    127.0.0.1 u3.eset.com/
    127.0.0.1 u4.eset.com
    127.0.0.1 u4.eset.com/
    127.0.0.1 u7.eset.com
    127.0.0.1 update.avg.com
    127.0.0.1 update.microsoft.com
    127.0.0.1 update.symantec.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 updates1.kaspersky-labs.com
    127.0.0.1 updates2.kaspersky-labs.com
    127.0.0.1 updates3.kaspersky-labs.com
    127.0.0.1 us.mcafee.com
    127.0.0.1 viabcp.com
    127.0.0.1 virscan.org
    127.0.0.1 virusbuster.hu
    127.0.0.1 viruslist.com
    127.0.0.1 viruslist.ru
    127.0.0.1 virusscan.jotti.org
    127.0.0.1 virustotal.com
    127.0.0.1 windowsupdate.microsoft.com
    127.0.0.1 www.ahnlab.com
    127.0.0.1 www.aladdin.com
    127.0.0.1 www.antivir.es
    127.0.0.1 www.antiy.net
    127.0.0.1 www.authentium.com
    127.0.0.1 www.avast.com
    127.0.0.1 www.avg.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.avp.ru
    127.0.0.1 www.avp.ru/download/
    127.0.0.1 www.bitdefender.com
    127.0.0.1 www.clamav.net
    127.0.0.1 www.comodo.com
    127.0.0.1 www.download.mcafee.com
    127.0.0.1 www.drweb.com
    127.0.0.1 www.emsisoft.com
    127.0.0.1 www.eset.com
    127.0.0.1 www.eset.com/
    127.0.0.1 www.eset.com/download/index.php
    127.0.0.1 www.eset.com/joomla/
    127.0.0.1 www.eset.com/products/index.php
    127.0.0.1 www.fortinet.com
    127.0.0.1 www.f-prot.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 www.gdata.es
    127.0.0.1 www.grisoft.com
    127.0.0.1 www.ikarus.at
    127.0.0.1 www.kaspersky.com
    127.0.0.1 www.kaspersky.ru
    127.0.0.1 www.kaspersky-labs.com
    127.0.0.1 www.macafee.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 www.nod32.com
    127.0.0.1 www.norman.com
    127.0.0.1 www.norton.com
    127.0.0.1 www.nprotect.com
    127.0.0.1 www.pandasecurity.com
    127.0.0.1 www.pandasoftware.com
    127.0.0.1 www.pctools.com
    127.0.0.1 www.rising-global.com
    127.0.0.1 www.scanner.novirusthanks.org
    127.0.0.1 www.sophos.com
    127.0.0.1 www.sunbeltsoftware.com
    127.0.0.1 www.symantec.com
    127.0.0.1 www.symantec.com/updates
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.virscan.org
    127.0.0.1 www.viruslist.com
    127.0.0.1 www.viruslist.ru
    127.0.0.1 www.virusscan.jotti.org
    127.0.0.1 www.virustotal.com
    127.0.0.1 www.windowsupdate.microsoft.com
     
  7. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    At around the 90% mark with the downloaded version, the system locked up. I bit the bullet and used the Active X version from IE 8. Avast shields disabled prior to run.

    Four items identified. Log as follows:

    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=9e79442f8cc1f34781344975555be3a0
    # end=stopped
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-26 10:51:45
    # local_time=2011-02-26 03:51:45 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 30819859 30819859 0 0
    # compatibility_mode=768 16777215 100 0 30810311 30810311 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=871
    # found=0
    # cleaned=0
    # scan_time=18
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=9e79442f8cc1f34781344975555be3a0
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-26 11:35:55
    # local_time=2011-02-26 04:35:55 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 30819945 30819945 0 0
    # compatibility_mode=768 16777215 100 0 30810397 30810397 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=149446
    # found=4
    # cleaned=0
    # scan_time=2581
    H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\drivers\etc\Copy of hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
     
  8. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    An update for Avast came in this morning. I scanned the k.dll file reported by ESET, and it identified the a threat with a similar designation, Win32:Bamital-AV [Trj].

    A new update for MBAM was obtained, and it did not identify a threat.

    I took no action.

    EDIT: There has been a small change in behavior. Site redirects are happening less frequently; however, search engine results navigation clicks take much longer to load the page (whether correct or redirected) than loading a page from a shortcut or direct typing.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, hopefully you have everything in now:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe 
      H:\WINDOWS\system32\k.dll 
      H:\WINDOWS\system32\drivers\etc\Copy of hosts 
      H:\WINDOWS\system32\drivers\etc\hosts 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    h:\windows\system32\drivers\atinttxx.sys
    DDS::
    uInternet Connection Wizard,ShellNext = iexplore
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    Hosts: 127.0.0.1 www.avast.com
    Hosts: 127.0.0.1 www.avg.com
    Hosts: 127.0.0.1 www.bitdefender.com
    Hosts: 127.0.0.1 www.eset.com
    Hosts: 127.0.0.1 www.f-secure.com
    Hosts: 127.0.0.1 www.grisoft.com
    Hosts: 127.0.0.1 www.kaspersky.com
    Hosts: 127.0.0.1 www.mcafee.com
    Hosts: 127.0.0.1 www.microsoft.com
    Hosts: 127.0.0.1 www.pandasecurity.com
    Hosts: 127.0.0.1 www.sophos.com
    Hosts: 127.0.0.1 www.symantec.com
    Hosts: 127.0.0.1 www.trendmicro.com
    Hosts: 127.0.0.1 www.viruslist.com
    Hosts: 127.0.0.1 www.virustotal.com
    Driver::
    TTDec
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Host files:changed by Win32/Fruspam.E also creates a mutex called "Tsek3r1W" to ensure that only one instance of itself is running in memory.

    P2P or 'file sharing 'Warning:
    uTorrent and LimeWire
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    ==========================================
    Please update Java: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    ==========================================
    Regarding Host files:
    Hijack was noted in DDS log. Reference was made to running Eset to see if it would find a possible cause.
     
  10. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Sorry for the delay. Your post caught me en route from work to home. It took a while to run the indicated steps, and I've been having connection issues with TechSpot (ping indicates notable and inconsistent packet loss).

    ========================================================

    OTM ran seemingly without incident, and it required a reboot.

    ========================================================

    CFScript.txt seemed to work. Drag and drop onto the existing Combofix on my desktop (you did not indicate to download a fresh copy). When Combofix ran, it announced an update, I updated and Combofix restarted. It continued until it announced a reboot was necessary and that I should not attempt to restart manually.

    I waited approximately 20 minutes after the screen appeared. Hard drive activity was negligible with a very dim flicker no more frequent than about once per ten seconds.

    I attempted a manual reboot. No response.
    I attempted h:\windows\shutdown.exe -t 0. No response.
    ctrl-alt-del functionality was gone, but I could still run cmd.exe from Start->Run

    I restarted the computer with a press of the reset button.

    Combofix ran upon restart, and it generated a log. That log is attached below.

    ========================================================

    Thank you for the cautions concerning p2p sharing. I am aware of them; however, even the best of us suffer from the careless click from time to time. At least that's what I tell myself when I'm trying to fall asleep at night.

    ========================================================

    Java 6 update 17 uninstalled.

    Java 6 update 24 installed.

    ========================================================

    My comments concerning the host file were more aimed at the fact that the logs reported thus far indicated a much shorter list.

    I believe I have executed all requested actions and supplied all requested logs.

    THERE IS NO IMPROVEMENT IN THE SITUATION. REDIRECTS STILL OCCUR, AND ARE RELATIVELY SLOW TO CONNECT.

    Since the c:\windows\system32\k.dll file was identified by ESET as a virus (and now Avast), I right-click scanned k.dll by itself from windows explorer, and it still reports the same virus. I took no action.

    Thanks for all your help so far!

    ========================================================

    ComboFix 11-02-28.02 - Steve 02/28/2011 19:57:00.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1548 [GMT -7:00]
    Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
    Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "h:\windows\system32\drivers\atinttxx.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - h:\windows\system32\winlogon.ex_

    h:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_TTDEC
    -------\Service_TTDec


    ((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
    .

    2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
    2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
    2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
    2011-03-01 03:29 . 2010-06-29 17:48 355056 ----a-w- h:\temp\SSUPDATE.EXE
    2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
    2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
    2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
    2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
    2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
    2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
    2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
    2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
    2011-02-27 16:02 . 2011-02-27 16:02 -------- d-----w- H:\MGtools
    2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
    2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
    2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
    2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
    2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
    2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
    2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
    2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
    2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
    2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-27 16:02 . 2011-02-27 16:02 33949 ----a-w- H:\MGlogs.zip
    2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
    2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
    2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
    2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
    2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
    2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
    2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
    2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
    2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
    2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
    2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
    2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
    2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
    2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
    2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
    2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
    2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
    2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
    2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
    2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
    2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
    2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
    2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
    2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
    2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
    2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
    2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
    2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . h:\windows\system32\winlogon.exe

    [-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . h:\windows\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-28_01.11.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-03-29 04:35 . 2008-04-14 12:42 65024 h:\windows\system32\dllcache\shimeng.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 64000 h:\windows\system32\dllcache\samlib.dll
    + 2008-03-29 04:35 . 2009-10-12 13:38 79872 h:\windows\system32\dllcache\raschap.dll
    - 2009-10-12 13:38 . 2009-10-12 13:38 79872 h:\windows\system32\dllcache\raschap.dll
    + 2008-05-15 13:27 . 2008-04-14 12:42 76800 h:\windows\system32\dllcache\qutil.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 34304 h:\windows\system32\dllcache\pstorsvc.dll
    + 2008-03-28 09:11 . 2008-04-14 07:26 69120 h:\windows\system32\dllcache\psched.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 96768 h:\windows\system32\dllcache\psbase.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 23040 h:\windows\system32\dllcache\psapi.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 27648 h:\windows\system32\dllcache\profmap.dll
    + 2001-08-17 13:48 . 2008-04-14 07:01 35840 h:\windows\system32\dllcache\processr.sys
    + 2008-03-28 09:11 . 2008-04-14 12:42 17408 h:\windows\system32\dllcache\powrprof.dll
    - 2009-03-08 11:31 . 2009-03-08 11:31 46592 h:\windows\system32\dllcache\pngfilt.dll
    + 2008-03-29 04:35 . 2009-03-08 11:31 46592 h:\windows\system32\dllcache\pngfilt.dll
    + 2001-08-17 22:36 . 2008-04-14 12:42 15360 h:\windows\system32\dllcache\pjlmon.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 25088 h:\windows\system32\dllcache\perfos.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 26624 h:\windows\system32\dllcache\perfdisk.dll
    + 2001-08-17 13:51 . 2008-04-14 07:10 24960 h:\windows\system32\dllcache\pciidex.sys
    + 2001-08-17 13:58 . 2008-04-14 07:06 68224 h:\windows\system32\dllcache\pci.sys
    + 2008-03-29 04:36 . 2008-04-14 12:42 38400 h:\windows\system32\dllcache\pchsvc.dll
    + 2008-03-28 09:10 . 2008-04-14 07:10 19712 h:\windows\system32\dllcache\partmgr.sys
    + 2001-08-17 13:50 . 2008-04-14 07:10 80128 h:\windows\system32\dllcache\parport.sys
    + 2001-08-17 13:48 . 2008-04-14 07:01 42752 h:\windows\system32\dllcache\p3.sys
    + 2008-03-28 09:11 . 2008-04-14 12:42 67584 h:\windows\system32\dllcache\osuninst.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 84992 h:\windows\system32\dllcache\olepro32.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 37376 h:\windows\system32\dllcache\olecnv32.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 74752 h:\windows\system32\dllcache\olecli32.dll
    + 2008-03-28 09:10 . 2008-04-14 05:56 94208 h:\windows\system32\dllcache\odbcint.dll
    + 2008-03-28 09:10 . 2008-04-14 07:26 88320 h:\windows\system32\dllcache\nwlnkipx.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 44032 h:\windows\system32\dllcache\ntlanman.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 67072 h:\windows\system32\dllcache\ntdsapi.dll
    + 2008-03-28 09:10 . 2008-04-14 07:02 30848 h:\windows\system32\dllcache\npfs.sys
    + 2008-03-28 09:10 . 2008-04-14 07:23 40320 h:\windows\system32\dllcache\nmnt.sys
    + 2001-08-17 13:24 . 2001-08-23 05:00 12032 h:\windows\system32\dllcache\nikedrv.sys
    + 2001-08-17 13:46 . 2008-04-14 07:21 61824 h:\windows\system32\dllcache\nic1394.sys
    + 2008-03-28 09:10 . 2008-04-14 12:42 80896 h:\windows\system32\dllcache\netui0.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 11776 h:\windows\system32\dllcache\netrap.dll
    + 2008-03-28 09:10 . 2008-04-14 07:26 34688 h:\windows\system32\dllcache\netbios.sys
    + 2008-03-28 09:10 . 2010-11-02 15:17 40960 h:\windows\system32\dllcache\ndproxy.sys
    - 2010-12-16 01:12 . 2010-11-02 15:17 40960 h:\windows\system32\dllcache\ndproxy.sys
    + 2008-03-28 09:10 . 2008-04-14 07:50 91520 h:\windows\system32\dllcache\ndiswan.sys
    + 2001-08-17 13:53 . 2008-04-14 07:26 14592 h:\windows\system32\dllcache\ndisuio.sys
    + 2008-03-28 09:10 . 2008-04-14 07:27 10112 h:\windows\system32\dllcache\ndistapi.sys
    + 2008-10-10 06:23 . 2008-04-14 07:16 10880 h:\windows\system32\dllcache\ndisip.sys
    + 2008-03-28 09:10 . 2008-04-14 12:42 17920 h:\windows\system32\dllcache\nddeapi.dll
    + 2008-03-29 04:36 . 2008-04-14 12:42 47104 h:\windows\system32\dllcache\ncprov.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 36352 h:\windows\system32\dllcache\ncobjapi.dll
    + 2008-10-10 06:23 . 2008-04-14 07:16 85248 h:\windows\system32\dllcache\nabtsfec.sys
    + 2008-03-29 04:36 . 2008-04-14 07:13 12672 h:\windows\system32\dllcache\mutohpen.sys
    - 2008-06-12 14:23 . 2008-06-12 14:23 66560 h:\windows\system32\dllcache\mtxclu.dll
    + 2008-03-28 09:10 . 2008-06-12 14:23 66560 h:\windows\system32\dllcache\mtxclu.dll
    + 2008-03-29 05:44 . 2008-04-14 07:06 15488 h:\windows\system32\dllcache\mssmbios.sys
    + 2008-03-28 09:10 . 2008-04-14 04:53 48128 h:\windows\system32\dllcache\msprivs.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 29696 h:\windows\system32\dllcache\mspatcha.dll
    + 2008-03-28 09:10 . 2008-04-14 07:26 35072 h:\windows\system32\dllcache\msgpc.sys
    + 2008-03-28 09:10 . 2008-04-14 07:02 19072 h:\windows\system32\dllcache\msfs.sys
    + 2008-03-28 09:10 . 2008-04-14 12:42 14336 h:\windows\system32\dllcache\msdmo.dll
    - 2008-06-24 16:43 . 2008-06-24 16:43 74240 h:\windows\system32\dllcache\mscms.dll
    + 2008-03-29 04:35 . 2008-06-24 16:43 74240 h:\windows\system32\dllcache\mscms.dll
    - 2009-09-04 21:03 . 2009-09-04 21:03 58880 h:\windows\system32\dllcache\msasn1.dll
    + 2008-03-28 09:10 . 2009-09-04 21:03 58880 h:\windows\system32\dllcache\msasn1.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 71680 h:\windows\system32\dllcache\msacm32.dll
    + 2008-03-29 04:36 . 2008-04-14 07:09 92544 h:\windows\system32\dllcache\mqac.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 87040 h:\windows\system32\dllcache\mprapi.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 59904 h:\windows\system32\dllcache\mpr.dll
    + 2008-03-28 09:10 . 2008-04-14 07:09 42368 h:\windows\system32\dllcache\mountmgr.sys
    + 2001-08-17 13:47 . 2008-04-14 07:09 23040 h:\windows\system32\dllcache\mouclass.sys
    + 2001-08-17 13:57 . 2008-04-14 07:30 30080 h:\windows\system32\dllcache\modem.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 18944 h:\windows\system32\dllcache\midimap.dll
    + 2001-08-17 13:58 . 2008-04-14 07:06 63744 h:\windows\system32\dllcache\mf.sys
    + 2008-03-28 09:10 . 2008-04-14 12:42 13312 h:\windows\system32\dllcache\lsass.exe
    + 2008-03-28 09:10 . 2008-04-14 12:41 13824 h:\windows\system32\dllcache\lmhsvc.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 19968 h:\windows\system32\dllcache\linkinfo.dll
    + 2001-08-17 13:47 . 2008-04-14 07:09 24576 h:\windows\system32\dllcache\kbdclass.sys
    + 2008-03-28 09:10 . 2010-12-20 23:59 25600 h:\windows\system32\dllcache\jsproxy.dll
    - 2009-03-08 11:33 . 2010-12-20 23:59 25600 h:\windows\system32\dllcache\jsproxy.dll
    + 2008-03-29 05:21 . 2008-04-14 07:06 37248 h:\windows\system32\dllcache\isapnp.sys
    + 2008-03-28 21:03 . 2008-04-14 07:24 11264 h:\windows\system32\dllcache\irenum.sys
    + 2008-03-29 04:36 . 2008-04-14 07:15 46592 h:\windows\system32\dllcache\irbus.sys
    + 2008-03-28 09:10 . 2008-04-14 07:49 75264 h:\windows\system32\dllcache\ipsec.sys
    + 2008-03-28 09:10 . 2008-04-14 07:27 20864 h:\windows\system32\dllcache\ipinip.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 94720 h:\windows\system32\dllcache\iphlpapi.dll
    + 2008-03-29 05:44 . 2008-04-14 07:23 36608 h:\windows\system32\dllcache\ip6fw.sys
    + 2008-03-29 05:44 . 2008-04-14 07:01 36352 h:\windows\system32\dllcache\intelppm.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 75264 h:\windows\system32\dllcache\inetpp.dll
    - 2009-03-08 11:31 . 2009-03-08 11:31 34816 h:\windows\system32\dllcache\imgutil.dll
    + 2008-03-29 04:36 . 2009-03-08 11:31 34816 h:\windows\system32\dllcache\imgutil.dll
    + 2008-03-28 09:10 . 2008-04-14 07:11 42112 h:\windows\system32\dllcache\imapi.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 11264 h:\windows\system32\dllcache\icaapi.dll
    + 2001-08-17 22:24 . 2008-04-14 07:48 52480 h:\windows\system32\dllcache\i8042prt.sys
    - 2009-10-21 05:38 . 2009-10-21 05:38 25088 h:\windows\system32\dllcache\httpapi.dll
    + 2008-03-29 05:44 . 2009-10-21 05:38 25088 h:\windows\system32\dllcache\httpapi.dll
    + 2001-08-17 14:02 . 2008-04-14 07:15 10368 h:\windows\system32\dllcache\hidusb.sys
    + 2001-08-17 14:02 . 2008-04-14 07:15 24960 h:\windows\system32\dllcache\hidparse.sys
    + 2008-03-29 04:36 . 2008-04-14 07:15 19200 h:\windows\system32\dllcache\hidir.sys
    + 2001-08-17 14:02 . 2008-04-14 07:15 36864 h:\windows\system32\dllcache\hidclass.sys
    + 2008-03-29 05:44 . 2008-04-14 07:16 25600 h:\windows\system32\dllcache\hidbth.sys
    + 2008-03-28 21:05 . 2008-04-14 07:06 20352 h:\windows\system32\dllcache\hidbatt.sys
    + 2001-08-17 22:36 . 2008-04-14 12:41 20992 h:\windows\system32\dllcache\hid.dll
    + 2008-03-29 05:44 . 2008-04-14 07:06 46464 h:\windows\system32\dllcache\gagp30kx.sys
    + 2001-08-17 13:57 . 2001-08-23 05:00 12160 h:\windows\system32\dllcache\fsvga.sys
    + 2001-08-17 13:51 . 2008-04-14 07:10 20480 h:\windows\system32\dllcache\flpydisk.sys
    + 2008-03-28 09:10 . 2008-04-14 07:03 44544 h:\windows\system32\dllcache\fips.sys
    + 2001-08-17 13:51 . 2008-04-14 07:10 27392 h:\windows\system32\dllcache\fdc.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 80384 h:\windows\system32\dllcache\faultrep.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 56320 h:\windows\system32\dllcache\eventlog.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 23040 h:\windows\system32\dllcache\ersvc.dll
    + 2008-05-15 13:27 . 2008-04-14 12:41 40960 h:\windows\system32\dllcache\eappprxy.dll
    + 2008-05-15 13:27 . 2008-04-14 12:41 30720 h:\windows\system32\dllcache\eapolqec.dll
    + 2008-03-28 09:10 . 2008-04-14 07:08 71168 h:\windows\system32\dllcache\dxg.sys
    + 2008-03-28 09:11 . 2008-04-14 12:41 14336 h:\windows\system32\dllcache\drprov.dll
    + 2008-03-29 04:42 . 2008-04-14 07:15 60160 h:\windows\system32\dllcache\drmk.sys
    + 2008-05-15 13:27 . 2008-04-14 12:41 26112 h:\windows\system32\dllcache\dot3api.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 45568 h:\windows\system32\dllcache\dnsrslvr.dll
    + 2008-03-29 04:42 . 2008-04-14 07:15 52864 h:\windows\system32\dllcache\dmusic.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 23552 h:\windows\system32\dllcache\dmserver.dll
    + 2008-03-28 09:10 . 2008-04-14 07:10 14208 h:\windows\system32\dllcache\diskdump.sys
    + 2001-08-17 13:52 . 2008-04-14 07:10 36352 h:\windows\system32\dllcache\disk.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 59904 h:\windows\system32\dllcache\devenum.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 27136 h:\windows\system32\dllcache\ddrawex.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 25088 h:\windows\system32\dllcache\davclnt.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 54272 h:\windows\system32\dllcache\dataclen.dll
    - 2009-12-14 07:08 . 2010-12-09 14:30 33280 h:\windows\system32\dllcache\csrsrv.dll
    + 2008-03-28 09:10 . 2010-12-09 14:30 33280 h:\windows\system32\dllcache\csrsrv.dll
    + 2001-08-17 13:48 . 2008-04-14 07:01 36736 h:\windows\system32\dllcache\crusoe.sys
    + 2001-08-17 13:24 . 2001-08-23 05:00 11776 h:\windows\system32\dllcache\cpqdap01.sys
    + 2008-03-28 21:05 . 2008-04-14 07:06 10240 h:\windows\system32\dllcache\compbatt.sys
    + 2008-03-29 04:06 . 2008-04-14 12:41 60416 h:\windows\system32\dllcache\colbact.dll
    + 2001-08-17 22:36 . 2008-04-14 12:41 47104 h:\windows\system32\dllcache\cnbjmon.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 58368 h:\windows\system32\dllcache\clusapi.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 64000 h:\windows\system32\dllcache\cleanmgr.exe
    + 2008-03-28 09:10 . 2008-04-14 07:46 49536 h:\windows\system32\dllcache\classpnp.sys
    + 2008-03-29 05:44 . 2008-04-14 12:41 15423 h:\windows\system32\dllcache\ch7xxnt5.dll
    + 2001-08-17 13:52 . 2008-04-14 07:10 62976 h:\windows\system32\dllcache\cdrom.sys
    + 2008-03-28 09:10 . 2008-04-14 07:44 63744 h:\windows\system32\dllcache\cdfs.sys
    + 2001-08-17 13:52 . 2001-08-23 05:00 18688 h:\windows\system32\dllcache\cdaudio.sys
    + 2008-10-10 06:23 . 2008-04-14 07:16 17024 h:\windows\system32\dllcache\ccdecode.sys
    + 2001-08-17 13:52 . 2001-08-23 05:00 13952 h:\windows\system32\dllcache\cbidf2k.sys
    + 2002-08-29 10:40 . 2008-04-14 12:41 60416 h:\windows\system32\dllcache\cabinet.dll
    + 2008-03-29 05:44 . 2008-04-14 07:16 18944 h:\windows\system32\dllcache\bthusb.sys
    + 2008-03-29 05:44 . 2008-04-14 07:16 36480 h:\windows\system32\dllcache\bthprint.sys
    + 2008-03-29 05:44 . 2008-04-14 07:16 37888 h:\windows\system32\dllcache\bthmodem.sys
    + 2008-03-29 05:44 . 2008-04-14 07:16 17024 h:\windows\system32\dllcache\bthenum.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 77824 h:\windows\system32\dllcache\browser.dll
    + 2008-03-29 04:36 . 2008-04-14 05:33 63488 h:\windows\system32\dllcache\browselc.dll
    + 2008-03-28 09:10 . 2008-04-14 07:23 71552 h:\windows\system32\dllcache\bridge.sys
    + 2008-03-28 21:05 . 2008-04-14 07:06 14208 h:\windows\system32\dllcache\battc.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 29184 h:\windows\system32\dllcache\batmeter.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 52736 h:\windows\system32\dllcache\basesrv.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 62464 h:\windows\system32\dllcache\authz.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 42496 h:\windows\system32\dllcache\audiosrv.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 17279 h:\windows\system32\dllcache\atv10nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 14143 h:\windows\system32\dllcache\atv06nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 25471 h:\windows\system32\dllcache\atv04nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 11359 h:\windows\system32\dllcache\atv02nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 21183 h:\windows\system32\dllcache\atv01nt5.dll
    + 2008-03-28 09:10 . 2008-04-14 07:21 55808 h:\windows\system32\dllcache\atmlane.sys
    + 2008-03-28 09:10 . 2008-04-14 07:21 59904 h:\windows\system32\dllcache\atmarpc.sys
    + 2008-03-29 04:36 . 2009-07-17 19:01 58880 h:\windows\system32\dllcache\atl.dll
    - 2009-07-17 19:01 . 2009-07-17 19:01 58880 h:\windows\system32\dllcache\atl.dll
    + 2001-08-17 13:51 . 2008-04-14 07:10 96512 h:\windows\system32\dllcache\atapi.sys
    + 2008-03-28 09:10 . 2008-04-14 07:27 14336 h:\windows\system32\dllcache\asyncmac.sys
    + 2001-08-17 13:46 . 2008-04-14 07:21 60800 h:\windows\system32\dllcache\arp1394.sys
    + 2002-08-29 08:05 . 2008-04-14 07:01 37760 h:\windows\system32\dllcache\amdk7.sys
    + 2001-08-17 13:48 . 2008-04-14 07:01 37376 h:\windows\system32\dllcache\amdk6.sys
    + 2008-03-29 05:44 . 2008-04-14 07:06 43008 h:\windows\system32\dllcache\amdagp.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 17408 h:\windows\system32\dllcache\alrsvc.dll
    + 2008-03-29 05:44 . 2008-04-14 07:06 42752 h:\windows\system32\dllcache\alim1541.sys
    + 2008-03-29 04:36 . 2008-04-14 12:42 44544 h:\windows\system32\dllcache\alg.exe
    + 2008-03-29 05:44 . 2008-04-14 07:06 44928 h:\windows\system32\dllcache\agpcpq.sys
    + 2008-03-29 05:44 . 2008-04-14 07:06 42368 h:\windows\system32\dllcache\agp440.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 98304 h:\windows\system32\dllcache\actxprxy.dll
    + 2001-08-17 13:57 . 2001-08-23 05:00 11648 h:\windows\system32\dllcache\acpiec.sys
    + 2008-03-28 09:11 . 2008-04-14 12:42 5120 h:\windows\system32\dllcache\sfc.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 7680 h:\windows\system32\dllcache\rasadhlp.dll
    + 2001-08-17 13:57 . 2001-08-23 05:00 3456 h:\windows\system32\dllcache\oprghdlr.sys
    + 2008-03-28 09:10 . 2008-04-14 12:42 8192 h:\windows\system32\dllcache\ntlsapi.dll
    + 2008-10-10 06:23 . 2008-04-14 07:09 5504 h:\windows\system32\dllcache\mstee.sys
    + 2008-03-29 04:42 . 2008-04-14 07:09 4992 h:\windows\system32\dllcache\mspqm.sys
    + 2008-03-29 04:42 . 2008-04-14 07:09 5376 h:\windows\system32\dllcache\mspclock.sys
    + 2008-03-29 04:42 . 2008-04-14 07:09 7552 h:\windows\system32\dllcache\mskssrv.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 4608 h:\windows\system32\dllcache\msimg32.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 6656 h:\windows\system32\dllcache\msidle.dll
    + 2008-03-29 04:42 . 2008-04-14 12:41 4096 h:\windows\system32\dllcache\ksuser.dll
    + 2008-03-29 04:42 . 2008-04-14 07:15 2944 h:\windows\system32\dllcache\drmkaud.sys
    + 2008-05-15 13:27 . 2008-04-14 12:41 9216 h:\windows\system32\dllcache\dot3dlg.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 8704 h:\windows\system32\dllcache\dciman32.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 6144 h:\windows\system32\dllcache\csrss.exe
    + 2008-03-28 21:05 . 2001-08-17 13:59 3072 h:\windows\system32\dllcache\audstub.sys
    + 2008-03-29 05:44 . 2008-04-14 12:41 3775 h:\windows\system32\dllcache\adv11nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 3711 h:\windows\system32\dllcache\adv09nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 3135 h:\windows\system32\dllcache\adv08nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 3647 h:\windows\system32\dllcache\adv07nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 3615 h:\windows\system32\dllcache\adv05nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 3967 h:\windows\system32\dllcache\adv02nt5.dll
    + 2008-03-29 05:44 . 2008-04-14 12:41 4255 h:\windows\system32\dllcache\adv01nt5.dll
    + 2008-03-28 09:11 . 2009-12-24 06:59 177664 h:\windows\system32\dllcache\wintrust.dll
    - 2009-12-24 06:59 . 2009-12-24 06:59 177664 h:\windows\system32\dllcache\wintrust.dll
    - 2008-04-21 06:44 . 2010-12-20 23:59 916480 h:\windows\system32\dllcache\wininet.dll
    + 2008-03-29 04:35 . 2010-12-20 23:59 916480 h:\windows\system32\dllcache\wininet.dll
    + 2008-03-29 04:35 . 2009-03-08 11:34 105984 h:\windows\system32\dllcache\url.dll
    - 2009-03-08 11:34 . 2009-03-08 11:34 105984 h:\windows\system32\dllcache\url.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 123392 h:\windows\system32\dllcache\umpnpmgr.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 985088 h:\windows\system32\dllcache\setupapi.dll
    - 2008-12-05 06:54 . 2010-06-30 12:31 149504 h:\windows\system32\dllcache\schannel.dll
    + 2008-03-28 09:11 . 2010-06-30 12:31 149504 h:\windows\system32\dllcache\schannel.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 415744 h:\windows\system32\dllcache\samsrv.dll
    + 2008-03-29 04:35 . 2008-04-14 06:07 208384 h:\windows\system32\dllcache\rsaenh.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 433664 h:\windows\system32\dllcache\riched20.dll
    + 2008-03-28 09:11 . 2008-04-14 12:42 237056 h:\windows\system32\dllcache\rasapi32.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 409088 h:\windows\system32\dllcache\qmgr.dll
    + 2008-03-29 04:42 . 2008-04-14 07:49 146048 h:\windows\system32\dllcache\portcls.sys
    + 2001-08-17 13:58 . 2008-04-14 07:06 120192 h:\windows\system32\dllcache\pcmcia.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 713728 h:\windows\system32\dllcache\opengl32.dll
    + 2008-05-15 13:27 . 2008-04-14 12:42 144384 h:\windows\system32\dllcache\onex.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 122880 h:\windows\system32\dllcache\oledlg.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 551936 h:\windows\system32\dllcache\oleaut32.dll
    - 2010-11-09 14:52 . 2010-11-09 14:52 249856 h:\windows\system32\dllcache\odbc32.dll
    + 2008-03-29 04:35 . 2010-11-09 14:52 249856 h:\windows\system32\dllcache\odbc32.dll
    + 2008-03-28 09:10 . 2010-12-20 23:59 206848 h:\windows\system32\dllcache\occache.dll
    - 2009-03-08 11:34 . 2010-12-20 23:59 206848 h:\windows\system32\dllcache\occache.dll
    + 2008-03-29 04:35 . 2009-10-13 10:30 270336 h:\windows\system32\dllcache\oakley.dll
    - 2009-10-13 10:30 . 2009-10-13 10:30 270336 h:\windows\system32\dllcache\oakley.dll
    + 2008-03-29 04:36 . 2008-04-14 07:04 163584 h:\windows\system32\dllcache\nwrdr.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 143360 h:\windows\system32\dllcache\ntshrui.dll
    + 2008-03-29 05:44 . 2004-08-04 05:41 180360 h:\windows\system32\dllcache\ntmtlfax.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 118784 h:\windows\system32\dllcache\ntmarta.dll
    + 2008-03-28 09:10 . 2008-04-14 07:45 574976 h:\windows\system32\dllcache\ntfs.sys
    + 2008-03-28 09:10 . 2010-12-09 15:15 718336 h:\windows\system32\dllcache\ntdll.dll
    - 2009-04-16 00:49 . 2010-12-09 15:15 718336 h:\windows\system32\dllcache\ntdll.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 245760 h:\windows\system32\dllcache\netui1.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 198144 h:\windows\system32\dllcache\netman.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 407040 h:\windows\system32\dllcache\netlogon.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 622592 h:\windows\system32\dllcache\netcfgx.dll
    + 2008-03-28 09:10 . 2008-04-14 07:51 162816 h:\windows\system32\dllcache\netbt.sys
    - 2008-10-24 00:08 . 2008-10-15 16:34 337408 h:\windows\system32\dllcache\netapi32.dll
    + 2008-03-29 04:35 . 2008-10-15 16:34 337408 h:\windows\system32\dllcache\netapi32.dll
    + 2008-03-28 09:10 . 2008-04-14 07:50 182656 h:\windows\system32\dllcache\ndis.sys
    + 2008-03-28 09:10 . 2008-04-14 07:47 105344 h:\windows\system32\dllcache\mup.sys
    + 2008-03-29 05:44 . 2004-08-04 05:29 452736 h:\windows\system32\dllcache\mtxparhm.sys
    + 2008-03-29 05:44 . 2004-08-04 05:41 126686 h:\windows\system32\dllcache\mtlmnt5.sys
    + 2008-03-28 09:10 . 2008-06-20 17:46 245248 h:\windows\system32\dllcache\mswsock.dll
    - 2008-06-20 17:46 . 2008-06-20 17:46 245248 h:\windows\system32\dllcache\mswsock.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 343040 h:\windows\system32\dllcache\msvcrt.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 413696 h:\windows\system32\dllcache\msvcp60.dll
    + 2008-03-28 09:10 . 2009-09-11 14:18 136192 h:\windows\system32\dllcache\msv1_0.dll
    - 2009-06-25 08:25 . 2009-09-11 14:18 136192 h:\windows\system32\dllcache\msv1_0.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 116224 h:\windows\system32\dllcache\mstlsapi.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 159232 h:\windows\system32\dllcache\msimtf.dll
    + 2008-03-28 09:10 . 2008-04-14 12:42 997376 h:\windows\system32\dllcache\msgina.dll
    + 2008-03-29 04:35 . 2008-04-14 12:42 297984 h:\windows\system32\dllcache\msctf.dll
    + 2008-03-28 09:10 . 2008-04-14 07:02 180608 h:\windows\system32\dllcache\mrxdav.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 586240 h:\windows\system32\dllcache\mlang.dll
    - 2010-10-13 04:31 . 2010-09-18 06:53 974848 h:\windows\system32\dllcache\mfc42.dll
    + 2008-03-28 09:10 . 2010-09-18 06:53 974848 h:\windows\system32\dllcache\mfc42.dll
    + 2008-03-28 09:10 . 2010-12-20 17:26 730112 h:\windows\system32\dllcache\lsasrv.dll
    - 2009-04-16 00:49 . 2010-12-20 17:26 730112 h:\windows\system32\dllcache\lsasrv.dll
    - 2009-05-07 15:32 . 2009-05-07 15:32 345600 h:\windows\system32\dllcache\localspl.dll
    + 2008-03-28 09:10 . 2009-05-07 15:32 345600 h:\windows\system32\dllcache\localspl.dll
    + 2008-03-29 04:42 . 2008-04-14 07:46 141056 h:\windows\system32\dllcache\ks.sys
    + 2008-03-29 04:42 . 2008-04-14 07:15 172416 h:\windows\system32\dllcache\kmixer.sys
    + 2008-03-28 09:10 . 2009-03-21 14:06 989696 h:\windows\system32\dllcache\kernel32.dll
    - 2009-03-21 14:06 . 2009-03-21 14:06 989696 h:\windows\system32\dllcache\kernel32.dll
    + 2008-03-29 04:36 . 2010-12-22 12:34 301568 h:\windows\system32\dllcache\kerberos.dll
    - 2009-06-25 08:25 . 2010-12-22 12:34 301568 h:\windows\system32\dllcache\kerberos.dll
    + 2008-03-28 09:10 . 2009-12-09 05:53 726528 h:\windows\system32\dllcache\jscript.dll
    - 2008-05-09 10:53 . 2009-12-09 05:53 726528 h:\windows\system32\dllcache\jscript.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 183808 h:\windows\system32\dllcache\ipsecsvc.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 331264 h:\windows\system32\dllcache\ipnathlp.dll
    + 2008-03-28 09:10 . 2008-04-14 07:27 152832 h:\windows\system32\dllcache\ipnat.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 110080 h:\windows\system32\dllcache\imm32.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 144384 h:\windows\system32\dllcache\imagehlp.dll
    - 2009-10-20 16:20 . 2009-10-20 16:20 265728 h:\windows\system32\dllcache\http.sys
    + 2008-03-29 05:44 . 2009-10-20 16:20 265728 h:\windows\system32\dllcache\http.sys
    + 2008-03-29 05:44 . 2004-08-04 05:41 685056 h:\windows\system32\dllcache\hsfcxts2.sys
    + 2008-03-29 05:44 . 2004-08-04 05:41 220032 h:\windows\system32\dllcache\hsfbs2s2.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 344064 h:\windows\system32\dllcache\hnetcfg.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 122880 h:\windows\system32\dllcache\glu32.dll
    + 2008-03-28 09:10 . 2008-10-23 12:36 286720 h:\windows\system32\dllcache\gdi32.dll
    - 2008-10-23 12:36 . 2008-10-23 12:36 286720 h:\windows\system32\dllcache\gdi32.dll
    + 2001-08-17 13:52 . 2001-08-23 05:00 125056 h:\windows\system32\dllcache\ftdisk.sys
    + 2008-03-29 04:06 . 2008-04-14 12:41 185344 h:\windows\system32\dllcache\framedyn.dll
    + 2008-03-29 05:44 . 2008-04-14 07:03 129792 h:\windows\system32\dllcache\fltmgr.sys
    - 2009-04-16 00:49 . 2009-02-09 12:10 473600 h:\windows\system32\dllcache\fastprox.dll
    + 2008-03-29 04:36 . 2009-02-09 12:10 473600 h:\windows\system32\dllcache\fastprox.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 247808 h:\windows\system32\dllcache\esscli.dll
    + 2008-03-29 04:36 . 2008-07-07 20:26 253952 h:\windows\system32\dllcache\es.dll
    - 2008-07-07 20:26 . 2008-07-07 20:26 253952 h:\windows\system32\dllcache\es.dll
    + 2008-05-15 13:27 . 2008-04-14 12:41 126976 h:\windows\system32\dllcache\eappcfg.dll
    - 2009-03-08 11:31 . 2009-03-08 11:31 216064 h:\windows\system32\dllcache\dxtrans.dll
    + 2008-03-29 04:36 . 2009-03-08 11:31 216064 h:\windows\system32\dllcache\dxtrans.dll
    - 2009-03-08 11:31 . 2009-03-08 11:31 348160 h:\windows\system32\dllcache\dxtmsft.dll
    + 2008-03-29 04:36 . 2009-03-08 11:31 348160 h:\windows\system32\dllcache\dxtmsft.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 367616 h:\windows\system32\dllcache\dsound.dll
    + 2008-03-29 04:36 . 2008-06-20 17:46 147968 h:\windows\system32\dllcache\dnsapi.dll
    - 2008-06-20 17:46 . 2008-06-20 17:46 147968 h:\windows\system32\dllcache\dnsapi.dll
    + 2008-03-28 09:10 . 2008-04-14 07:14 153344 h:\windows\system32\dllcache\dmio.sys
    + 2008-03-28 09:10 . 2008-04-14 07:14 799744 h:\windows\system32\dllcache\dmboot.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 126976 h:\windows\system32\dllcache\dhcpcsvc.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 279552 h:\windows\system32\dllcache\ddraw.dll
    + 2002-08-29 10:40 . 2008-04-14 12:41 640000 h:\windows\system32\dllcache\dbghelp.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 326656 h:\windows\system32\dllcache\cscui.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 101888 h:\windows\system32\dllcache\cscdll.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 163840 h:\windows\system32\dllcache\credui.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 792064 h:\windows\system32\dllcache\comres.dll
    + 2008-03-29 04:06 . 2008-04-14 12:41 498688 h:\windows\system32\dllcache\clbcatq.dll
    + 2001-08-17 14:02 . 2001-08-23 05:00 262528 h:\windows\system32\dllcache\cinemst2.sys
    + 2008-03-29 04:36 . 2008-04-14 12:41 194560 h:\windows\system32\dllcache\certcli.dll
    + 2008-03-29 05:44 . 2008-04-14 07:21 101120 h:\windows\system32\dllcache\bthpan.sys
    - 2010-04-20 05:30 . 2011-01-07 14:09 290048 h:\windows\system32\dllcache\atmfd.dll
    + 2008-03-28 09:10 . 2011-01-07 14:09 290048 h:\windows\system32\dllcache\atmfd.dll
    + 2009-03-16 20:26 . 2011-01-05 02:59 302080 h:\windows\system32\dllcache\ati2dvag.dll
    + 2009-03-16 19:28 . 2011-01-05 02:22 851968 h:\windows\system32\dllcache\ati2cqag.dll
    + 2008-03-29 04:42 . 2008-04-14 05:09 142592 h:\windows\system32\dllcache\aec.sys
    + 2008-03-29 04:36 . 2009-03-08 11:32 128512 h:\windows\system32\dllcache\advpack.dll
    - 2009-03-08 11:32 . 2009-03-08 11:32 128512 h:\windows\system32\dllcache\advpack.dll
    - 2009-04-16 00:49 . 2009-02-09 12:10 617472 h:\windows\system32\dllcache\advapi32.dll
    + 2008-03-28 09:10 . 2009-02-09 12:10 617472 h:\windows\system32\dllcache\advapi32.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 143360 h:\windows\system32\dllcache\adsldpc.dll
    + 2008-03-28 09:10 . 2008-04-14 12:41 193536 h:\windows\system32\dllcache\activeds.dll
    + 2001-08-17 13:57 . 2008-04-14 07:06 187776 h:\windows\system32\dllcache\acpi.sys
    - 2008-06-26 08:15 . 2010-12-20 23:59 1210880 h:\windows\system32\dllcache\urlmon.dll
    + 2008-03-29 04:35 . 2010-12-20 23:59 1210880 h:\windows\system32\dllcache\urlmon.dll
    + 2008-03-29 04:35 . 2009-07-17 16:22 1435648 h:\windows\system32\dllcache\query.dll
    - 2009-07-17 16:22 . 2009-07-17 16:22 1435648 h:\windows\system32\dllcache\query.dll
    - 2008-05-07 05:12 . 2010-02-05 18:27 1291776 h:\windows\system32\dllcache\quartz.dll
    + 2008-03-29 04:35 . 2010-02-05 18:27 1291776 h:\windows\system32\dllcache\quartz.dll
    - 2010-07-16 12:05 . 2010-07-16 12:05 1288192 h:\windows\system32\dllcache\ole32.dll
    + 2008-03-29 04:35 . 2010-07-16 12:05 1288192 h:\windows\system32\dllcache\ole32.dll
    + 2008-05-16 21:01 . 2008-04-14 05:04 1897408 h:\windows\system32\dllcache\nv4_mini.sys
    + 2008-03-29 04:35 . 2008-04-14 12:42 1703936 h:\windows\system32\dllcache\netshell.dll
    + 2008-03-29 05:44 . 2004-08-04 05:41 1309184 h:\windows\system32\dllcache\mtlstrm.sys
    - 2008-11-12 06:11 . 2010-06-14 07:41 1172480 h:\windows\system32\dllcache\msxml3.dll
    + 2008-03-29 04:35 . 2010-06-14 07:41 1172480 h:\windows\system32\dllcache\msxml3.dll
    - 2008-05-19 13:33 . 2008-05-19 13:33 4445184 h:\windows\system32\dllcache\msi.dll
    + 2008-03-29 04:35 . 2008-05-19 13:33 4445184 h:\windows\system32\dllcache\msi.dll
    - 2008-04-21 06:44 . 2010-12-20 23:59 5961216 h:\windows\system32\dllcache\mshtml.dll
    + 2008-03-29 04:35 . 2010-12-20 23:59 5961216 h:\windows\system32\dllcache\mshtml.dll
    + 2008-03-29 05:44 . 2004-08-04 05:41 1041536 h:\windows\system32\dllcache\hsfdpsp2.sys
    + 2008-03-28 09:10 . 2008-04-14 12:41 1082368 h:\windows\system32\dllcache\esent.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 1267200 h:\windows\system32\dllcache\comsvcs.dll
    + 2008-03-29 04:36 . 2008-04-14 12:41 1025024 h:\windows\system32\dllcache\browseui.dll
    + 2009-03-16 19:53 . 2011-01-05 02:36 2670464 h:\windows\system32\dllcache\ativvaxx.dll
    + 2009-03-16 20:06 . 2011-01-05 02:53 4021984 h:\windows\system32\dllcache\ati3duag.dll
     
  11. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    CONTINUED
    ============================================

    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
    "SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
    "Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
    "EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
    "Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
    "AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
    "StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
    "avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]

    h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
    2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
    2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
    2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
    h:\program files\ATI Multimedia\main\launchpd.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
    2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
    2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
    2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
    2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
    2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2009-10-11 11:17 149280 ----a-w- i:\program files\Java\jre6\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
    2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
    2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LVPrcSrv"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AboutTime\\AboutTime.exe"=
    "e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "i:\\eve\\bin\\ExeFile.exe"=
    "h:\\Program Files\\DAP\\DAP.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
    "i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "h:\\Program Files\\uTorrent\\uTorrent.exe"=
    "h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
    "h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
    "h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
    "h:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "h:\\WINDOWS\\system32\\dpvsetup.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "8181:TCP"= 8181:TCP:utorrent webui
    "8181:UDP"= 8181:UDP:utorrent webui

    R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
    R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
    R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
    R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
    R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
    R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
    R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
    S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
    S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
    S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
    S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
    S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
    S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-02-28 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-02-28 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    Trusted Zone: intuit.com\ttlc
    TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
    Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-28 20:28
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1464)
    h:\program files\SUPERAntiSpyware\SASWINLO.DLL
    h:\windows\system32\WININET.dll
    h:\windows\system32\Ati2evxx.dll
    h:\windows\system32\atiadlxx.dll
    h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

    - - - - - - - > 'explorer.exe'(1648)
    h:\windows\system32\WININET.dll
    h:\windows\system32\msi.dll
    h:\windows\system32\webcheck.dll
    h:\windows\system32\IEFRAME.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Alwil Software\Avast5\AvastSvc.exe
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    i:\program files\Java\jre6\bin\jqs.exe
    h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    h:\windows\system32\wdfmgr.exe
    h:\program files\UGS\UGSLicensing\ugslmd.exe
    h:\windows\system32\wscntfy.exe
    h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    h:\program files\Motorola\MotoConnectService\MotoConnect.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-28 20:33:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-01 03:33
    ComboFix2.txt 2011-02-28 01:15
    ComboFix3.txt 2011-02-26 15:15
    ComboFix4.txt 2011-02-25 14:54
    ComboFix5.txt 2011-03-01 02:53

    Pre-Run: 200,724,099,072 bytes free
    Post-Run: 200,709,947,392 bytes free

    - - End Of File - - 44DEC926DD9198DF80C40B61BA05A60C
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Some background on the malware you have/had:

    Win32/Bamital Trojan: AKA Backdoor.Win32.Agent.andi, Trojan.Bamital.Gen, Win32/Agent.
    Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari.

    Payload: Modifies browsing behavior- patches and redirects some functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements:

    Connects to a remote server: May also send and download additional information from other Web servers..
    ==============================================
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      explorer.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ======================================
    Well, you caught my flub on Combofix! I so frequently have it run right after the Eset scan that I just picked up the log you left and added the script! I don't see where I had you run it in the first place and should have uninstalled it, then reinstalled. My bad, but if the script does the job, okay.
    =========================================
    You are obviously an experienced computer user. So I would like you to visit this site for the MVPS Host file replacement: http://mvps.org/winhelp2002/hosts.htm
    You have been doing some things on your own, so see if this download is appropriate for you now.
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    h:\temp\SSUPDATE.EXE
    H:\MGlogs.zip
    Folder::
    H:\MGtools
    
    FileLook::
    h:\windows\system32\k.dll
    DirLook::
    H:\Temple
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
    "3389:TCP"=-
    "8181:TCP"=-
    "8181:UDP"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
     
  13. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Thank you for the background on the infection.

    Am I at significant risk for compromised passwords? This machine is typically used for all sorts of things including financial websites and remote desktop connection to work. As a matter of pure circumstance, none of these actions were taken between suspected infection time and when I first noticed the redirects. Since the redirects, I have consciously avoided passworded functions except where absolutely necessary, e.g., this site.

    Concerning the H:\Temple folder, that is my doing. I was using it to process video on my local machine instead of my media server to avoid network bandwidth issues.

    Thank you for the MVPS Host file recommendation. Once this matter is resolved, I intend to implement it. I assume it's premature at this point.

    Concerning your comments about my experience, thank you, but please don't assume too much. I'm generally regarded as a Guru by my peers, friends, family; however, when it comes to people with very detailed technical knowledge like yourself, I slip quickly into the power user category.... occasionally one with just enough information to be dangerous. I try to recognize this and keep myself reined in.

    A prior run of Combofix (before posting on the site) indicated issues with explorer.exe and winlogon.exe. I obtained copies from my wife's computer and placed them in the same folders with the .ex_ extension.

    Combofix failed to restart the computer again. I allowed for 10 minutes before attempting to restart. ctrl-alt-del function was not available, screen was black with nothing but the combofix window. Mouse would move, but would not respond to clicks. I forced reboot with the computer reset button. Combofix ran on login and produced the log.

    NOTE: I will be away from this computer for several hours. If it is safe to do so, I can connect remotely, but failed restarts with combofix would present an issue. Please advise if I should pursue this.

    Syslook and combofix files follow:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 09:24 on 01/03/2011 by Steve
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "explorer.*"
    H:\Program Files\DAP\Skins\dap\Explorer.bmp --a---- 5264 bytes [04:54 19/06/2008] [04:54 19/06/2008] 0EF744B1DC357FDE44C78536A8108659
    H:\Program Files\Macro Express3\Icons\explorer.ico --a---- 10134 bytes [05:22 09/07/2099] [15:26 30/05/2007] F98A1DBCDCF308B53602393157B9B70E
    H:\WINDOWS\explorer.exe --a---- 1033728 bytes [04:36 29/03/2008] [00:12 14/04/2008] E99BE788FBEE60C53F47F1F8CEA2C926
    H:\WINDOWS\explorer.ex_ --a---- 1033728 bytes [23:35 27/02/2011] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
    H:\WINDOWS\explorer.scf --a---- 80 bytes [09:10 28/03/2008] [05:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
    H:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
    H:\WINDOWS\Prefetch\EXPLORER.EXE-04FFEABC.pf --a---- 102584 bytes [04:58 11/02/2011] [13:26 01/03/2011] B9B8FC42504253E52EA312AC046DC6E6

    -= EOF =-


    ComboFix 11-02-28.07 - Steve 03/01/2011 9:36.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -7:00]
    Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
    Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "H:\MGlogs.zip"
    "h:\temp\SSUPDATE.EXE"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    H:\MGlogs.zip
    H:\MGtools
    h:\mgtools\analyse.exe
    h:\mgtools\BamFix.bat
    h:\mgtools\bamRCfix.txt
    h:\mgtools\chodefix.bat
    h:\mgtools\config.reg
    h:\mgtools\DisableUAC.reg
    h:\mgtools\download.exe
    h:\mgtools\EnableUAC.reg
    h:\mgtools\ffinfo.txt
    h:\mgtools\filelog.txt
    h:\mgtools\FindOVL.bat
    h:\mgtools\FindRN.bat
    h:\mgtools\FixACLS.bat
    h:\mgtools\FixBagle.bat
    h:\mgtools\fixBagle.reg
    h:\mgtools\FixbamRC.bat
    h:\mgtools\FixCF.bat
    h:\mgtools\fixCF.reg
    h:\mgtools\fixChode.reg
    h:\mgtools\FixFA.bat
    h:\mgtools\fixFA.reg
    h:\mgtools\FixPerm.bat
    h:\mgtools\FixSBM.bat
    h:\mgtools\fixSBM.reg
    h:\mgtools\GetDetails.exe
    h:\mgtools\GetLogs.Bat
    h:\mgtools\GetMBR.bat
    h:\mgtools\GetRunKey.bat
    h:\mgtools\GetUnKey.txt
    h:\mgtools\GetUnKeys.bat
    h:\mgtools\grep.exe
    h:\mgtools\GRK64.bat
    h:\mgtools\hide.reg
    h:\mgtools\history.txt
    h:\mgtools\HTAfind.bat
    h:\mgtools\IEFIX.reg
    h:\mgtools\locate.com
    h:\mgtools\ltime.exe
    h:\mgtools\mbrfix.bat
    h:\mgtools\MGclean.bat
    h:\mgtools\MiscInfo.bat
    h:\mgtools\NwkTst.bat
    h:\mgtools\Process.exe
    h:\mgtools\ProcessDll.exe
    h:\mgtools\Regfix.bat
    h:\mgtools\RemMWS.bat
    h:\mgtools\RunMB.bat
    h:\mgtools\scantime.txt
    h:\mgtools\sed.exe
    h:\mgtools\ShowNew.bat
    h:\mgtools\SN64.bat
    h:\mgtools\swreg.exe
    h:\mgtools\swwhoami.exe
    h:\mgtools\SysBU.bat
    h:\mgtools\temp\aedebug.txt
    h:\mgtools\temp\cvdrv1.txt
    h:\mgtools\temp\cvdrv2.txt
    h:\mgtools\temp\cvdrv3.txt
    h:\mgtools\temp\ffext.txt
    h:\mgtools\temp\GRKflag.log
    h:\mgtools\temp\header0.txt
    h:\mgtools\temp\HIDDEN1.txt
    h:\mgtools\temp\HIDDEN2.txt
    h:\mgtools\temp\HIDDEN3.txt
    h:\mgtools\temp\HIDDEN4.txt
    h:\mgtools\temp\junk.txt
    h:\mgtools\temp\NetSvcs.txt
    h:\mgtools\temp\SH.txt
    h:\mgtools\temp\VSP1\beep.sysmg
    h:\mgtools\temp\VSP1\cngaudit.dllmg
    h:\mgtools\temp\VSP1\netlogon.dllmg
    h:\mgtools\temp\VSP1\scecli.dllmg
    h:\mgtools\temp\xcuexpSH.txt
    h:\mgtools\temp\xcupolexp.txt
    h:\mgtools\temp\xcupolie.txt
    h:\mgtools\temp\xcupolsys.txt
    h:\mgtools\temp\xcupolwup.txt
    h:\mgtools\temp\xlmcpl.txt
    h:\mgtools\temp\xmodul.txt
    h:\mgtools\temp\xmscfg.txt
    h:\mgtools\temp\XPSP2\beep.sysmg
    h:\mgtools\temp\XPSP2\eventlog.dllmg
    h:\mgtools\temp\XPSP2\netlogon.dllmg
    h:\mgtools\temp\XPSP2\scecli.dllmg
    h:\mgtools\temp\XPSP3\beep.sysmg
    h:\mgtools\temp\XPSP3\eventlog.dllmg
    h:\mgtools\temp\XPSP3\netlogon.dllmg
    h:\mgtools\temp\XPSP3\scecli.dllmg
    h:\mgtools\temp\xrkey01.txt
    h:\mgtools\temp\xrkey04.txt
    h:\mgtools\temp\xrkey05.txt
    h:\mgtools\temp\xrkey06.txt
    h:\mgtools\temp\xrkey07.txt
    h:\mgtools\temp\xrkey08.txt
    h:\mgtools\temp\xrkey09.txt
    h:\mgtools\temp\xrkey10.txt
    h:\mgtools\temp\xrkey11.txt
    h:\mgtools\temp\xrkey12.txt
    h:\mgtools\temp\xrnotif.txt
    h:\mgtools\temp\xrquery.txt
    h:\mgtools\temp\xspawn.txt
    h:\mgtools\temp\xspawn2.txt
    h:\mgtools\unhide.reg
    h:\mgtools\UnKeys.bat
    h:\mgtools\UserInfo.bat
    h:\mgtools\vfind.exe
    h:\mgtools\VunFind.bat
    h:\mgtools\zip.exe
    h:\temp\SSUPDATE.EXE

    Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - h:\system volume information\_restore{9E309AAF-1379-463E-ACC3-0D3107ABAA46}\RP6\A0009729.exe

    h:\windows\explorer.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
    .

    2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
    2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
    2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
    2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
    2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
    2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
    2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
    2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
    2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
    2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
    2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
    2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
    2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
    2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
    2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
    2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
    2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
    2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
    2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
    2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
    2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
    2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
    2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
    2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
    2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
    2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
    2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
    2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
    2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
    2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
    2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
    2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
    2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
    2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
    2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
    2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
    2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
    2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
    2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
    2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
    2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
    2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
    2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
    2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
    2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
    2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
    2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
    2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
    2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
    2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
    2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
    2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    --- h:\windows\system32\k.dll ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 3584
    Created time: 2011-02-28 15:29
    Modified time: 2008-04-14 12:42
    MD5: 91BFC30C7D1AB5891511609C236FFED5
    SHA1: 68D919FDDA263864F2D5E6A0573B6D1BF9C665A7

    ---- Directory of H:\Temple ----

    2011-02-27 19:21 . 2011-02-19 18:45 730714112 ----a-w- h:\temple\templegrandin.avi


    ------- Sigcheck -------

    [-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . h:\windows\system32\winlogon.exe

    [-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . h:\windows\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-03-01_03.30.02 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-01 03:39 . 2011-03-01 03:39 157472 h:\windows\system32\javaws.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\javaw.exe
    - 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\javaw.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\java.exe
    - 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\java.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 180224 h:\windows\Installer\84afa.msi
    + 2011-03-01 03:39 . 2011-03-01 03:39 675840 h:\windows\Installer\84aef.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
    "SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
    "Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
    "EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
    "Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
    "AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
    "StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
    "avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
    "SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

    h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
    2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
    2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
    2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
    h:\program files\ATI Multimedia\main\launchpd.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
    2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
    2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
    2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
    2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
    2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
    2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
    2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LVPrcSrv"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AboutTime\\AboutTime.exe"=
    "e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "i:\\eve\\bin\\ExeFile.exe"=
    "h:\\Program Files\\DAP\\DAP.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
    "i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "h:\\Program Files\\uTorrent\\uTorrent.exe"=
    "h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
    "h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
    "h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
    "h:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "h:\\WINDOWS\\system32\\dpvsetup.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "8181:TCP"= 8181:TCP:utorrent webui
    "8181:UDP"= 8181:UDP:utorrent webui

    R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
    R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
    R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
    R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
    R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
    R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
    R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
    S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
    S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
    S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
    S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
    S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
    S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-03-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-02-28 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-03-01 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    Trusted Zone: intuit.com\ttlc
    TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
    Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    .
    - - - - ORPHANS REMOVED - - - -

    MSConfigStartUp-SunJavaUpdateSched - i:\program files\Java\jre6\bin\jusched.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-01 10:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1460)
    h:\program files\SUPERAntiSpyware\SASWINLO.DLL
    h:\windows\system32\WININET.dll
    h:\windows\system32\Ati2evxx.dll
    h:\windows\system32\atiadlxx.dll
    h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

    - - - - - - - > 'explorer.exe'(2760)
    h:\windows\system32\WININET.dll
    h:\windows\system32\msi.dll
    h:\windows\system32\webcheck.dll
    h:\windows\system32\IEFRAME.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Alwil Software\Avast5\AvastSvc.exe
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    h:\program files\Java\jre6\bin\jqs.exe
    h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    h:\windows\system32\wdfmgr.exe
    h:\program files\UGS\UGSLicensing\ugslmd.exe
    h:\windows\system32\wscntfy.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    h:\program files\Motorola\MotoConnectService\MotoConnect.exe
    h:\program files\Java\jre6\bin\javaws.exe
    h:\program files\Java\jre6\bin\javaw.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-01 10:11:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-01 17:11
    ComboFix2.txt 2011-03-01 03:33
    ComboFix3.txt 2011-02-28 01:15
    ComboFix4.txt 2011-02-26 15:15
    ComboFix5.txt 2011-03-01 16:34

    Pre-Run: 200,503,988,224 bytes free
    Post-Run: 200,479,453,184 bytes free

    - - End Of File - - A7975D72733F8F8E8A79E2AE28F9A2AF
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    FYI: The Bamital malware infected both winlogon.exe and explorer/exe. A better way to handle them would have been to do what I did> look in your system for a good copy of the file and then done FCopy to replace the infected file with a good one. Combofix replaced the infected winlogon.exe file with one from a restore point. I replaced explorer.exe using FCopy.

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    h:\windows\system32\k.dll
    FCopy::
    H:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe | h:\windows\explorer.exe
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    If you are still having the redirects after this, I will have you disable the CD Emulation software as it will sometimes interfere with scans. NOTE: you do not need to do this yet and if you do, I will give you the instructions.
     
  15. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Combofix ran as expected with a forced reboot via the reset button. Combofix resumed after reboot and log generated.

    Redirects are NOT occurring anymore, and page loads following link clicks are VERY responsive (since they're not looking for a different server! - and Avast shields are still disabled).

    I tested with search results from google, yahoo, lycos, altavista and wikipedia as all had redirects previously.

    h:\windows\system32\k.dll is still present, and it is still identified as a virus by avast (using right click scan from explorer). I took no action.

    h:\windows\system32\drivers\etc\hosts file contains only the localhost entry.

    Note that I had no system restore points prior to the infection. I believe the infection may have wiped them, so any files extracted from the restore points might be suspect.

    Combofix log follows:


    ComboFix 11-02-28.07 - Steve 03/01/2011 18:41:36.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1485 [GMT -7:00]
    Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
    Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "h:\windows\system32\k.dll"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    h:\temp\winlogon.dat

    Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - h:\windows\system32\winlogon.ex_

    .
    --------------- FCopy ---------------

    h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe --> h:\windows\explorer.exe
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
    .

    2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
    2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
    2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
    2011-03-02 02:31 . 2010-06-29 17:48 355056 ----a-w- h:\temp\SSUPDATE.EXE
    2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
    2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
    2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
    2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
    2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
    2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
    2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
    2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
    2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
    2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
    2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
    2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
    2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
    2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
    2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
    2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
    2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
    2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
    2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
    2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
    2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
    2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
    2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
    2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
    2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
    2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
    2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
    2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
    2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
    2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
    2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
    2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
    2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
    2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
    2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
    2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
    2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
    2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
    2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
    2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
    2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
    2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
    2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
    2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
    2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
    2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
    2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
    2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
    2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
    2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
    2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
    2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
    2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
    2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
    2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
    2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
    2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
    2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
    2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
    2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
    2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
    2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
    2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
    .

    ------- Sigcheck -------

    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\explorer.exe
    [-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-03-01_03.30.02 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-01 03:39 . 2011-03-01 03:39 157472 h:\windows\system32\javaws.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\javaw.exe
    - 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\javaw.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\java.exe
    - 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\java.exe
    + 2011-03-01 03:39 . 2011-03-01 03:39 180224 h:\windows\Installer\84afa.msi
    + 2011-03-01 03:39 . 2011-03-01 03:39 675840 h:\windows\Installer\84aef.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
    "SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
    "Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
    "EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
    "Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
    "AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
    "StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
    "avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
    "SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

    h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
    2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
    2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
    2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
    2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
    2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
    h:\program files\ATI Multimedia\main\launchpd.exe [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
    2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
    2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
    2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
    2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
    2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
    2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
    2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
    2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
    2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "LVPrcSrv"=2 (0x2)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "e:\\Program Files\\AboutTime\\AboutTime.exe"=
    "e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "i:\\eve\\bin\\ExeFile.exe"=
    "h:\\Program Files\\DAP\\DAP.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
    "i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "h:\\Program Files\\uTorrent\\uTorrent.exe"=
    "h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
    "h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
    "h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
    "h:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
    "h:\\WINDOWS\\system32\\dpvsetup.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
    "8181:TCP"= 8181:TCP:utorrent webui
    "8181:UDP"= 8181:UDP:utorrent webui

    R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
    R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
    R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
    R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
    R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
    R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
    R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
    R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
    R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
    R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
    R3 pbfilter;pbfilter;h:\program files\PeerBlock\pbfilter.sys [2/25/2010 9:14 PM 19056]
    R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
    S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
    S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
    S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
    S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
    S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
    S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
    S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
    S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PBFILTER
    .
    Contents of the 'Scheduled Tasks' folder

    2011-03-02 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-03-02 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

    2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-03-02 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
    - h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

    2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-03-01 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]

    2011-03-01 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
    - h:\windows\system32\mobsync.exe [2008-03-28 12:42]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    Trusted Zone: intuit.com\ttlc
    TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
    Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-01 19:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1460)
    h:\program files\SUPERAntiSpyware\SASWINLO.DLL
    h:\windows\system32\WININET.dll
    h:\windows\system32\Ati2evxx.dll
    h:\windows\system32\atiadlxx.dll
    h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

    - - - - - - - > 'explorer.exe'(3568)
    h:\windows\system32\WININET.dll
    h:\windows\system32\msi.dll
    h:\windows\system32\ieframe.dll
    h:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Alwil Software\Avast5\AvastSvc.exe
    h:\windows\system32\Ati2evxx.exe
    h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
    h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    h:\program files\Java\jre6\bin\jqs.exe
    h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    h:\windows\system32\wdfmgr.exe
    h:\program files\UGS\UGSLicensing\ugslmd.exe
    h:\windows\system32\wscntfy.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    h:\program files\Skype\Plugin Manager\skypePM.exe
    h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    h:\program files\Motorola\MotoConnectService\MotoConnect.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-01 19:35:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-02 02:35
    ComboFix2.txt 2011-03-01 17:11
    ComboFix3.txt 2011-03-01 03:33
    ComboFix4.txt 2011-02-28 01:15
    ComboFix5.txt 2011-03-02 01:39

    Pre-Run: 200,441,028,608 bytes free
    Post-Run: 200,415,531,008 bytes free

    - - End Of File - - 36D287DDC8270A8A09F8876E8456FD16
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Consider sitting back and letting me review the logs.

    As for System Restore: to the best of my knowledge, there isn't any malware that drops or adds restore points.
    RP1: 2/24/2011 9:43:15 PM - System Checkpoint> Normal. Set by the systm
    RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis> Normal. Restore Point shoud be set before installing a new program.
    RP3: 2/26/2011 8:34:02 AM - Restore Operation> done by computer user.
    RP4: 2/26/2011 8:48:57 AM - Restore Operation> done by computer user.


    System Restore should not be done while cleaning because if an infected restore point is used, it can reinfect the system.

    You should have restore points set! The system will usually do this automatically if the system is on. Combofix would not have replaced an infected file with another file.


    Why do you continue to try to second guess me?
     
  17. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    I am in no way trying to second guess you. You present me information, and I reply with what I think may be pertinent feedback. I do not pretend to know better than you, but I do think that you will draw the best conclusion with more accurate information. I seek to provide accurate information. Nothing more.

    Concerning system restore, it was active, and prior to the infection, I had restore points - at least system checkpoints. After the infection, I had no system restore points before the date of infection. I will concede that it is possible system restore may have been deactivated prior, but not intentionally as I have utilized system restore on several occasions.

    If you prefer that I shut up, I will do so. I am actually just trying to be helpful in providing what I regard as pertinent feedback. From this point forward, I will do exactly as you say and provide responses only when asked direct questions.

    Thanks again.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I meant to reassure you that I was carefully reviewing all the log entries- nothing more..Since the redirect problem has been resolved, I'd like you to run the Eset online virus scan once more. If it's clean, I will have you remove the cleaning tools we used.
     
  19. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    "Why do you continue to try to second guess me?" - this does not sound like an attempt to convey reassurance.

    Please let me state that I trust your expertise implicitly. All information presented was with the intent of providing you information that may not be reflected in the logs.

    I greatly appreciate all your efforts and regret any misunderstanding that may exist between us.

    ESET run with the same options in your first reference to ESET. Requested log follows:
    =============================================================
    ESETSmartInstaller@High as downloader log:
    all ok
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=9e79442f8cc1f34781344975555be3a0
    # end=stopped
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-26 10:51:45
    # local_time=2011-02-26 03:51:45 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 30819859 30819859 0 0
    # compatibility_mode=768 16777215 100 0 30810311 30810311 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=871
    # found=0
    # cleaned=0
    # scan_time=18
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=9e79442f8cc1f34781344975555be3a0
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-02-26 11:35:55
    # local_time=2011-02-26 04:35:55 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 30819945 30819945 0 0
    # compatibility_mode=768 16777215 100 0 30810397 30810397 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=149446
    # found=4
    # cleaned=0
    # scan_time=2581
    H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\drivers\etc\Copy of hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6425
    # api_version=3.0.2
    # EOSSerial=9e79442f8cc1f34781344975555be3a0
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-03-02 07:05:01
    # local_time=2011-03-02 12:05:01 (-0700, US Mountain Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 31141175 31141175 0 0
    # compatibility_mode=768 16777215 100 0 31131627 31131627 0 0
    # compatibility_mode=8192 67108863 100 0 246982 246982 0 0
    # scanned=671592
    # found=4
    # cleaned=0
    # scan_time=10697
    H:\System Volume Information\_restore{9E309AAF-1379-463E-ACC3-0D3107ABAA46}\RP14\A0012373.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
    H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
    H:\_OTM\MovedFiles\02282011_184221\H_Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
    H:\_OTM\MovedFiles\02282011_184221\H_WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Going to have to check for a rootkit! This one entry just won't stay gone!

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      H:\WINDOWS\system32\k.dll 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Download catchme.exe ( 137KB ) and save to your desktop.
    • Double click the catchme.exe to run it
    • Click the "Scan" button to start scan
    • Open catchme.log to see results

    Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.

    catchme is the rootkit/stealth malware scanner that scans for:
    • hidden processes
    • hidden registry keys
    • hidden services
    • hidden files
    catchme can also delete, destroy and collect malicious files.
     
  21. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    All processes killed
    ========== FILES ==========
    File/Folder H:\WINDOWS\system32\k.dll not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: All Users.WINDOWS

    User: Deb
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 8662114 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 73838537 bytes
    ->Flash cache emptied: 934 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 65536 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: Steve
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    Session Manager Temp folder emptied: 1167358 bytes
    Session Manager Tmp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 44607 bytes

    Total Files Cleaned = 80.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 03022011_145837

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    ================================================================

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-02 15:08:37
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s0"=dword:6a0d5e22
    "s1"=dword:9d5ec1f0
    "s2"=dword:03819763
    "h0"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="H:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
    "khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="H:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
    "khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:aa,8f,ac,06,1c,5b,fd,db,b0,0d,bd,9a,b3,09,ac,9c,3c,ba,67,5d,e8,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0"="H:\Program Files\DAEMON Tools\"
    "h0"=dword:00000000
    "khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
    "khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
    "khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, if you are still having the redirects, I'd like you to disable the CD Emulator (DaemonTools)- it may be interferring with the scans:

    DeFogger CD Emulation

    To disable CD Emulation programs using DeFogger please perform these steps:
    1. . Please download DeFogger to your desktop.
      Link: http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe
    2. . Once downloaded, double-click on the DeFogger icon to start the tool.
    3. . The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
    4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
    5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    6. . If CD Emulation programs are present and have been disabled,

    DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
    ================================
    When we have finished doing the scans:
    To enable CD Emulation programs using DeFogger please perform these steps:
    1. . Please download DeFogger to your desktop.
    2. . Once downloaded, double-click on the DeFogger icon to start the tool.
    3. . The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
    4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
    5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    6. . If CD Emulation programs are present and have been enabled,

    DeFogger will now ask you to reboot the machine. Please allow it to do so
    by clicking on the OK button.
    ==================================
    If there is any change in the system, please let me know. As for slow loading pages, that is most likely a server issue, not malware.
     
  23. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Per http://www.techspot.com/vb/post1011027-15.html, "Redirects are NOT occurring anymore, and page loads following link clicks are VERY responsive (since they're not looking for a different server! - and Avast shields are still disabled)."

    Do you still wish me to execute the steps pertaining to DeFogger?

    There have be no adverse changes to the system since my referenced link. Comments concerning slow page loads were exclusively associated with redirects. Since redirects have stopped, browser navigation is very brisk with few exceptions.
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, skip the Emulator removal.

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
     
  25. snoobler

    snoobler TS Rookie Topic Starter Posts: 19

    Thanks again for all your help thus far.

    Combofix uninstalled.

    OTCleanIt ran, and it required a reboot. Rebooted without incident.

    Upon attempting to create a restore point, I was informed that I needed to turn it on. I did not turn it off at any point during this entire process. Is this normal?

    I turned it on and created a restore point. When I did so, there were no other restore points available.

    Nonetheless, I executed the disk clean up instructions and emptied the recycle bin per your recommendation.

    Last question: What turned off my system restore?
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...