Solved Chrome and IE search page links redirect

Status
Not open for further replies.

snoobler

Posts: 20   +0
This started a couple days ago with both IE and Chrome. Searching at Google, lycos, altavista, etc. produces a series of relevant links; however, when clicked I am redirected to random sites for cheap airfare, etc. I can usually get a successful link click ONCE after a reboot.

Clicking the search button on Wikipedia results in an immediate redirect.

Redirects seem to involve a delay of several seconds vs. opening a typed page almost immediately.

LInks on techspot pages leading to software downloads are not redirected.

Prior to this post I tried troubleshooting myself which included running Hijackthis, Avast, MBAM, superantispyware and combofix. It seemed to run successfully, but the issue remained. I punted and did a system restore back to 2/24 and am deferring to the experts here. All logs supplied are POST restore, so my previous efforts have hopefully been wiped out, and you are starting fresh.

Lastly, seeing that another user suffered from a router hijack, I checked my DNS, and they are as expected from my IPC. Additionally, of the five computers serviced by the router, the issue exists on only the one.

Step 1: Avast Home 6.0.1000 with 110226-0 definitions indicated no infections.

Step 2: TFC completed normally.

Step 3: MBAM indicates no infections:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5884

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/26/2011 10:06:23 AM
mbam-log-2011-02-26 (10-06-23).txt

Scan type: Quick scan
Objects scanned: 203916
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 4: GMER log:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-26 10:11:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: l96qigpz.exe; Driver: h:\temp\uxtdypod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAB8AC026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAB8ABE91]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAB9418DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\viamraid \Device\Scsi\viamraid1 8A5CDE30
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target2Lun0 8A5CDE30
Device \Driver\dtscsi \Device\Scsi\dtscsi1 89F5D6F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 89F5D6F8
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 8A5CD8C0

AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat 8A1330E8

AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

Step 5: DDS (NOTE that dds.scr would simply open in notepad. I appended ".exe", and it ran normally

DDS.TXT:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Steve at 10:14:33.29 on Sat 02/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1365 [GMT -7:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\Program Files\VIA\RAID\vialogsv.exe
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\UGS\UGSLicensing\ugslmd.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\VIA\RAID\raid_tool.exe
H:\Program Files\Alwil Software\Avast5\avastUI.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\mmc.exe
H:\Documents and Settings\Deb\Desktop\dds.scr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "h:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [PeerBlock] h:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "h:\documents and settings\deb\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EVEMon] "i:\program files\evemon\EVEMon.exe" -startMinimized
uRun: [Skype] "h:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [VIARaidUtl] h:\program files\via\raid\raid_tool.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast!] h:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AMD_Display] h:\program files\amd\amd power monitor\AMD_PwrMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "h:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast] "h:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: h:\docume~1\alluse~1.win\startm~1\programs\startup\timexd~1.lnk - h:\program files\timex\data link usb\DataLinkLauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - h:\program files\microsoft activesync\aatp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - e:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-2-26 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-8-2 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-8-2 19544]
R2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast5\AvastSvc.exe [2010-8-2 42184]
R2 MotoConnect Service;MotoConnect Service;h:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-27 91392]
R2 RUBotted;Trend Micro RUBotted Service;h:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-24 582992]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\ugs\ugslicensing\lmgrd.exe [2008-4-22 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\via\raid\vialogsv.exe [2009-5-20 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [2009-5-20 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [2009-5-20 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 TTDec;ATI WDM Teletext Decoder;h:\windows\system32\drivers\atinttxx.sys --> h:\windows\system32\drivers\ATINTTXX.sys [?]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-4-12 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [2010-6-27 25856]
S3 cpuz132;cpuz132;h:\windows\system32\drivers\cpuz132_x32.sys [2009-6-16 12672]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [2010-8-15 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [2010-8-15 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [2007-12-28 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [2010-6-27 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2099-07-09 05:22:02 -------- d-----w- h:\program files\common files\Insight Software Solutions
2099-07-09 05:22:01 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37:15 -------- d-----w- h:\program files\SlySoft
2011-02-26 17:14:32 98816 ----a-w- h:\temp\3a.tmp\SED.DAT
2011-02-26 17:14:32 89088 ----a-w- h:\temp\3a.tmp\MBR.DAT
2011-02-26 17:14:32 518144 ----a-w- h:\temp\3a.tmp\SWREG.DAT
2011-02-26 17:14:32 256512 ----a-w- h:\temp\3a.tmp\PEV.DAT
2011-02-26 16:59:17 355056 ----a-w- h:\temp\SSUPDATE.EXE
2011-02-26 16:14:51 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\repository\FS
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50:25 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-26 15:50:19 -------- d-sh--w- H:\$RECYCLE.BIN
2011-02-25 04:37:44 -------- d-----w- h:\docume~1\deb\applic~1\Malwarebytes
2011-02-25 04:26:34 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26:32 -------- d-----w- h:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-02-25 04:26:28 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-25 04:26:28 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-18 07:02:21 -------- d-----w- H:\AutoCad
2011-02-10 01:10:54 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58:00 -------- d-----w- h:\program files\Rhinoceros 4.0

==================== Find3M ====================

2011-02-23 15:04:21 40648 ----a-w- h:\windows\avastSS.scr
2011-01-21 14:44:37 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:13:02 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12:52 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11:42 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11:14 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00:30 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59:24 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53:36 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53:16 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46:12 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39:46 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39:32 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39:22 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39:14 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39:02 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37:32 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36:54 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36:00 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35:12 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31:10 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29:18 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28:52 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28:18 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22:50 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2010-12-31 13:10:33 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14:06 51200 ----a-w- h:\windows\system32\OpenCL.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A5CDB78]<<
_asm { MOV EAX, 0x8a5cda98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a5d0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A51F670]
\Driver\Disk[0x8A537A08] -> IRP_MJ_CREATE -> 0x8A5CDB78
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a5cdb78
user & kernel MBR OK
Warning: possible MBR rootkit infection !

============= FINISH: 10:15:35.23 ===============

ATTACH.EXE


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/28/2008 9:10:16 PM
System Uptime: 2/26/2011 9:56:59 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2V-X
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | SOCKET AM2 | 2999/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 60 GiB total, 11.498 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 7.445 GiB free.
E: is FIXED (NTFS) - 20 GiB total, 15.776 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is FIXED (NTFS) - 360 GiB total, 188.616 GiB free.
I: is FIXED (NTFS) - 26 GiB total, 15.648 GiB free.
J: is CDROM ()
M: is FIXED (NTFS) - 213 GiB total, 14.871 GiB free.
P: is FIXED (NTFS) - 149 GiB total, 0.368 GiB free.
T: is NetworkDisk (NTFS) - 292 GiB total, 43.171 GiB free.

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:

==== System Restore Points ===================

RP1: 2/24/2011 9:43:15 PM - System Checkpoint
RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis
RP3: 2/26/2011 8:34:02 AM - Restore Operation
RP4: 2/26/2011 8:48:57 AM - Restore Operation

==== Hosts File Hijack ======================

Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.grisoft.com
Hosts: 127.0.0.1 www.kaspersky.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.microsoft.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.trendmicro.com
Hosts: 127.0.0.1 www.viruslist.com
Hosts: 127.0.0.1 www.virustotal.com

==== Installed Programs ======================


µTorrent
7-Zip 4.65
AC-3 ACM Codec
Acronis*True*Image*WD*Edition
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
Amazon Games & Software Downloader
AMD CPUInfo
AMD Power Monitor
AMD Processor Driver
Apple Software Update
ASUS Wireless Router WL-520GC Utilities
ASUSUpdate
ATI Catalyst Install Manager
ATI Stream SDK v2 Developer
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Auto Gordian Knot 2.55
AutoCAD 2002
AutoHotkey 1.0.48.03
AutoUpdate
avast! Free Antivirus
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BitPim 1.0.7
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CloneDVD2
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Contribtastic 2.0-alpha
Cool & Quiet
CPUID HWMonitor 1.15
DAO
Data Lifeguard Diagnostic for Windows
Data Lifeguard Tools
Defraggler
DIKO 2.47
DivX
Download Accelerator Plus (DAP)
Driver Sweeper 1.5.5
Dual-Core Optimizer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 6.2.1.8 (31/12/2009)
DVDFab 7.0.9.3 (08/08/2010)
DVDFab 8.0.3.2 (30/10/2010)
DWGeditor
EASEUS Partition Master 6.1.1 Home Edition
eDrawings 2006
EVE Metrics Uploader
EVE Online (remove only)
EveHQ
EVEMon
ffdshow [rev 3154] [2009-12-09]
Fomine WinPopup 1.5
Free Video to iPod Converter version 3.1
FreeRIP v3.30
Google Chrome
Google Earth
Google Update Helper
H-BOT EVE-Pilot
HandBrake 0.9.5
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP USB Disk Storage Format Tool
IrfanView (remove only)
IsoBuster 2.3
Java(TM) 6 Update 17
LimeWire 5.5.8
Logitech QuickCam for Enterprise
Logitech QuickCam for Enterprise Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync 3.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 8.0 Support DLLs
Motorola Driver Installation 4.2.0
MP3 Tester Demo
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
NVTweak
PC Probe II
PDFCreator
PeerBlock 1.1 (r518)
Platform
PowerDVD
QuickTime
RAD Video Tools
Realtek High Definition Audio Driver
Recuva
Rhinoceros 3.0
Rhinoceros 3.0 SR3c
Rhinoceros 4.0 SR6
Rhinoceros 4.0 SR8
RSDLite
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
sentinelsystemdriver
SightSpeed
Skype Toolbars
Skype™ 5.0
SolidWorks 2006 SP0
SolidWorks eDrawings 2011
Speccy
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware
System Requirements Lab
The Lord of the Rings FREE Trial
thinkorswim
thinkorswim from TD AMERITRADE
Timex Data Link USB
Trend Micro RUBotted
TurboTax 2008
TurboTax 2008 waziper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 waziper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Tweakui Powertoy for Windows XP
UGS NX 6.0
UGSLicensing
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Ventrilo Client
VIA Platform Device Manager
Videora iPod Converter 5.04
VNC Free Edition 4.1.2
VobSub v2.23 (Remove Only)
WebFldrs XP
Wii Video 9 6
Winamp
Winamp Detector Plug-in
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 9 Series TweakMP PowerToy
Windows Support Tools
WinFF 1.1
WinRAR archiver
WinZip
XviD MPEG4 Video Codec (remove only)
YouTube Downloader App 3.00

==== Event Viewer Messages From Past Week ========

2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The UGS License Server (ugslmd) service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7031] - The MotoConnect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 8:59:46 AM, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
2/26/2011 8:48:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi ElbyCDIO Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip V2IMount
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/25/2011 7:58:18 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
2/25/2011 7:15:43 AM, error: Service Control Manager [7034] - The VRAID Log Service service terminated unexpectedly. It has done this 1 time(s).
2/25/2011 12:53:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp1 ViaIde
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The Specialized PCD WDM VBI Codec service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI WDM Teletext Decoder service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder TV Tuner service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Audio Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 1:23:23 AM, error: Service Control Manager [7001] - The Network DDE service depends on the Network DDE DSDM service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/25/2011 1:23:23 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Capture service failed to start due to the following error: The system cannot find the file specified.
2/24/2011 9:04:54 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
2/24/2011 2:41:59 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
2/22/2011 6:00:59 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
2/21/2011 4:26:00 PM, error: TermServDevices [1111] - Driver hp LaserJet 3015 PCL 6 required for printer !!FRONTDESK!hp LaserJet 3015 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver HP Designjet 500PS 24 by HP required for printer HP 500 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series (FAX) required for printer FAX (Canon) is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:50 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series required for printer Canon Laser is unknown. Contact the administrator to install the driver before you log in again.

==== End Of File ===========================
 
Welcome_crash.gif

(Image courtesy animationplayhouse.com)

Welcome to TechSpot! I'll be glad to help with the redirect problem. Thank you for giving such a good description of the problem as well as noting these are new logs! This helps me help you. It appears that you may have a rootkit on the MBR, so we will start with that:

Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

I will finish checking these logs while you run that scan. I may have you do a a DNS Flush on the one system- but don't do it yet.
Important!
Now that I have these new logs, please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
EDIT: In my haste to supply the information, I failed to thank you for your prompt response, so THANKS! MBRCheck completed without indicating any problems on-screen.

----------------
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000893fd

Kernel Drivers (total 151):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9ED6000 sptd.sys
0xBA5AA000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xB9EBE000 \WINDOWS\System32\Drivers\SPTD2797.SYS
0xB9E90000 ACPI.sys
0xB9E7F000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xBA5AC000 viaide.sys
0xBA328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9E60000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9E3A000 dmio.sys
0xBA330000 PartMgr.sys
0xBA338000 videX32.sys
0xBA0C8000 VolSnap.sys
0xB9E22000 atapi.sys
0xB9E05000 viamraid.sys
0xB9DED000 \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xB9DCD000 fltmgr.sys
0xB9DBB000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9DA5000 SymSnap.sys
0xB9D8E000 KSecDD.sys
0xB9D01000 Ntfs.sys
0xB9CD4000 NDIS.sys
0xB9C69000 timntr.sys
0xBA340000 viaagp1.sys
0xB9C10000 tdrpman.sys
0xB9BF1000 snapman.sys
0xB9BD7000 Mup.sys
0xB89AA000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB83E3000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB83CF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB83A7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA148000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xBA158000 \SystemRoot\System32\DRIVERS\redbook.sys
0xB8384000 \SystemRoot\System32\DRIVERS\ks.sys
0xBA168000 \SystemRoot\System32\DRIVERS\imapi.sys
0xBA408000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xB8360000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xBA5D4000 \SystemRoot\System32\Drivers\vulfnth.sys
0xBA410000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xBA418000 \SystemRoot\System32\DRIVERS\fdc.sys
0xB834C000 \SystemRoot\System32\DRIVERS\parport.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA178000 \SystemRoot\System32\DRIVERS\serial.sys
0xB9A9B000 \SystemRoot\System32\DRIVERS\serenum.sys
0xBA188000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xBA420000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xBA428000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xB8302000 \SystemRoot\System32\Drivers\dtscsi.sys
0xBA764000 \SystemRoot\System32\DRIVERS\audstub.sys
0xBA1E8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xB9A8F000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xB8290000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xBA1F8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xBA208000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xBA438000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xB827F000 \SystemRoot\System32\DRIVERS\psched.sys
0xBA218000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xBA440000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xBA448000 \SystemRoot\System32\DRIVERS\raspti.sys
0xBA228000 \SystemRoot\System32\Drivers\pcouffin.sys
0xB824F000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xBA238000 \SystemRoot\System32\DRIVERS\termdd.sys
0xBA5EC000 \SystemRoot\System32\DRIVERS\swenum.sys
0xB81C9000 \SystemRoot\System32\DRIVERS\update.sys
0xB9A73000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xBA248000 \SystemRoot\system32\DRIVERS\AmdLLD.sys
0xBA258000 \SystemRoot\system32\DRIVERS\AmdTools.sys
0xB8198000 \SystemRoot\system32\DRIVERS\TMPassthru.sys
0xBA268000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAC134000 \SystemRoot\system32\drivers\AtiHdmi.sys
0xAC110000 \SystemRoot\system32\drivers\portcls.sys
0xBA2A8000 \SystemRoot\system32\drivers\drmk.sys
0xABCA4000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB9AA7000 \SystemRoot\System32\Drivers\vulfntr.sys
0xBA2C8000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xBA5FC000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xBA460000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6AB000 \SystemRoot\System32\Drivers\Null.SYS
0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA478000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xBA480000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA488000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB823F000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xABBE1000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xABB88000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xBA2E8000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xABAC2000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xABA9A000 \SystemRoot\System32\DRIVERS\netbt.sys
0xBA2F8000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xBA490000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xABA78000 \SystemRoot\System32\drivers\afd.sys
0xBA308000 \SystemRoot\System32\DRIVERS\netbios.sys
0xBA138000 \SystemRoot\System32\Drivers\V2IMount.SYS
0xABA06000 \??\H:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA498000 \??\H:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xAB9DB000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xAB96B000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xB8A2A000 \SystemRoot\System32\Drivers\Fips.SYS
0xB8A1A000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xAB923000 \SystemRoot\System32\Drivers\aswSP.SYS
0xAB8FF000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAB879000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xBA606000 \SystemRoot\system32\drivers\AsIO.sys
0xBA4A8000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xABA4C000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4B0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA78A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF130000 \SystemRoot\System32\atikvmag.dll
0xBF1DF000 \SystemRoot\System32\atiok3x2.dll
0xBF256000 \SystemRoot\System32\ati3duag.dll
0xBF9C5000 \SystemRoot\System32\ativvaxx.dll
0xBF62C000 \SystemRoot\System32\ATMFD.DLL
0xA8D5A000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xABB48000 \SystemRoot\system32\DRIVERS\tifsfilt.sys
0xA8D06000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xA8B83000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xA8886000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xBA66C000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA884C000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xA88F3000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xA86DC000 \SystemRoot\System32\DRIVERS\srv.sys
0xA8963000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA84BF000 \SystemRoot\system32\drivers\wdmaud.sys
0xA87DC000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA3B0000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xA7E88000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xA7D7F000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8C62000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xA75C2000 \??\h:\temp\uxtdypod.sys
0xA7768000 \SystemRoot\system32\DRIVERS\atl01_xp.sys
0xBA3F0000 \??\h:\temp\mbr.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
1380 H:\WINDOWS\system32\smss.exe
1436 csrss.exe
1468 H:\WINDOWS\system32\winlogon.exe
1528 H:\WINDOWS\system32\services.exe
1540 H:\WINDOWS\system32\lsass.exe
1732 H:\WINDOWS\system32\ati2evxx.exe
1748 H:\WINDOWS\system32\svchost.exe
1812 svchost.exe
1932 H:\WINDOWS\system32\svchost.exe
552 svchost.exe
644 H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1036 H:\WINDOWS\system32\spoolsv.exe
1180 H:\WINDOWS\system32\ati2evxx.exe
1776 svchost.exe
1908 H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
2052 H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
2132 I:\Program Files\Java\jre6\bin\jqs.exe
2172 H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
2280 H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
2340 H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
2528 H:\WINDOWS\system32\svchost.exe
2552 H:\Program Files\UGS\UGSLicensing\lmgrd.exe
2604 wdfmgr.exe
2624 H:\Program Files\VIA\RAID\vialogsv.exe
2648 H:\Program Files\UGS\UGSLicensing\lmgrd.exe
2908 H:\WINDOWS\explorer.exe
3004 H:\Program Files\UGS\UGSLicensing\ugslmd.exe
3264 H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
3556 wmiprvse.exe
3652 H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
3748 alg.exe
976 H:\Program Files\VIA\RAID\raid_tool.exe
2216 H:\Program Files\Alwil Software\Avast5\AvastUI.exe
2224 H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2244 H:\WINDOWS\system32\ctfmon.exe
2412 H:\Program Files\Microsoft ActiveSync\wcescomm.exe
3452 H:\WINDOWS\system32\svchost.exe
1348 H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
5848 H:\WINDOWS\system32\mmc.exe
4224 H:\WINDOWS\system32\cmd.exe
2828 H:\WINDOWS\system32\ping.exe
2736 svchost.exe
2152 H:\WINDOWS\system32\wscntfy.exe
3036 H:\WINDOWS\notepad.exe
3040 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4884 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1112 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4832 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4216 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
916 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2872 H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
588 H:\Documents and Settings\Deb\Desktop\MBRCheck .exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000000f`003f3000 (NTFS)
\\.\H: --> \\.\PhysicalDrive0 at offset 0x00000014`00541600 (NTFS)
\\.\I: --> \\.\PhysicalDrive0 at offset 0x0000006e`00d13e00 (NTFS)
\\.\M: --> \\.\PhysicalDrive1 at offset 0x00000004`e22d6a00 (NTFS)
\\.\P: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05
PhysicalDrive1 Model Number: WDCWD2500JB-00REA0, Rev: 20.00K20
PhysicalDrive2 Model Number: VIASATA RAID 1, Rev:

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
232 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
149 GB \\.\PhysicalDrive2 Legit MBR code detected
SHA1: 317A49A9E93F077F2D004734D2A7B6CA7E7B9495


Done!
 
You can then go ahead and run the online Eset virus scan. Let's see if it finds the Win32/Fruspam.E (AKA W32.Ackantta@mm (Symantec), Mal/CryptBox-A (Sophos) Worm that has hijacked the Host files:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
 
Avast shields disabled until next boot.

As I prefer Chrome (IE/Flash on this machine tend to be very unstable and crash prone - the primary reason for the use of Chrome on this machine), I downloaded the "esetsmartinstaller_enu.exe" file to my desktop and ran it with the options you indicated; however, as it's scanning all drives in the system, it may take a few hours.

Upon completion, I will send the output of ESET.

In the interim, I'm suppling the following information below. I hope this doesn't violate the "no extra scanning/cleaning" guidelines you give in your first post, but since I'm making no changes, I don't believe I violated that.

I don't know if it's relevant, but I did check my hosts file and found it odd that there were so many entries; however, that may have been from a previous infection as the creation date of the hosts file is 3/28/08 with a modified of 4/14/08.

I didn't see it posted in the logs supplied thus far, but if relevant, this is the contents of the hosts file in its entirety:

127.0.0.1 localhost
127.0.0.1 82.165.237.14
127.0.0.1 82.165.250.33
127.0.0.1 akamai.avg.com
127.0.0.1 antivir.es
127.0.0.1 anti-virus.by
127.0.0.1 avast.com
127.0.0.1 avg.com
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 avp.ru/download/
127.0.0.1 avpg.crsi.symantec.com
127.0.0.1 backup.avg.cz
127.0.0.1 bancoguayaquil.com
127.0.0.1 bcpzonasegura.viabcp.com
127.0.0.1 bitdefender.com
127.0.0.1 clamav.net
127.0.0.1 comodo.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com/products/
127.0.0.1 downloads1.kaspersky-labs.com/updates/
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com/products/
127.0.0.1 downloads2.kaspersky-labs.com/updates/
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com/products/
127.0.0.1 downloads3.kaspersky-labs.com/updates/
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com/products/
127.0.0.1 downloads4.kaspersky-labs.com/updates/
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com/products/
127.0.0.1 downloads5.kaspersky-labs.com/updates/
127.0.0.1 drweb.com
127.0.0.1 emsisoft.com
127.0.0.1 eset.com
127.0.0.1 eset.com/
127.0.0.1 eset.com/download/index.php
127.0.0.1 eset.com/joomla/
127.0.0.1 eset.com/products/index.php
127.0.0.1 eset.es
127.0.0.1 fortinet.com
127.0.0.1 f-prot.com
127.0.0.1 f-secure.com
127.0.0.1 gdata.es
127.0.0.1 go.microsoft.com
127.0.0.1 hacksoft.com.pe
127.0.0.1 ikarus.at
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky.ru
127.0.0.1 kaspersky-labs.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 macafee.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 networkassociates.com
127.0.0.1 nod32.com
127.0.0.1 norman.com
127.0.0.1 norton.com
127.0.0.1 nprotect.com
127.0.0.1 pandasecurity.com
127.0.0.1 pandasoftware.com
127.0.0.1 pctools.com
127.0.0.1 pif.symantec.com
127.0.0.1 pifmain.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 rising-global.com
127.0.0.1 scanner.novirusthanks.org
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 sunbeltsoftware.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 symantec.com/updates
127.0.0.1 threatexpert.com
127.0.0.1 trendmicro.com
127.0.0.1 u2.eset.com
127.0.0.1 u20.eset.com
127.0.0.1 u3.eset.com
127.0.0.1 u3.eset.com/
127.0.0.1 u4.eset.com
127.0.0.1 u4.eset.com/
127.0.0.1 u7.eset.com
127.0.0.1 update.avg.com
127.0.0.1 update.microsoft.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 updates1.kaspersky-labs.com
127.0.0.1 updates2.kaspersky-labs.com
127.0.0.1 updates3.kaspersky-labs.com
127.0.0.1 us.mcafee.com
127.0.0.1 viabcp.com
127.0.0.1 virscan.org
127.0.0.1 virusbuster.hu
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 virusscan.jotti.org
127.0.0.1 virustotal.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.ahnlab.com
127.0.0.1 www.aladdin.com
127.0.0.1 www.antivir.es
127.0.0.1 www.antiy.net
127.0.0.1 www.authentium.com
127.0.0.1 www.avast.com
127.0.0.1 www.avg.com
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.avp.ru/download/
127.0.0.1 www.bitdefender.com
127.0.0.1 www.clamav.net
127.0.0.1 www.comodo.com
127.0.0.1 www.download.mcafee.com
127.0.0.1 www.drweb.com
127.0.0.1 www.emsisoft.com
127.0.0.1 www.eset.com
127.0.0.1 www.eset.com/
127.0.0.1 www.eset.com/download/index.php
127.0.0.1 www.eset.com/joomla/
127.0.0.1 www.eset.com/products/index.php
127.0.0.1 www.fortinet.com
127.0.0.1 www.f-prot.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.gdata.es
127.0.0.1 www.grisoft.com
127.0.0.1 www.ikarus.at
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.macafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.nod32.com
127.0.0.1 www.norman.com
127.0.0.1 www.norton.com
127.0.0.1 www.nprotect.com
127.0.0.1 www.pandasecurity.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.pctools.com
127.0.0.1 www.rising-global.com
127.0.0.1 www.scanner.novirusthanks.org
127.0.0.1 www.sophos.com
127.0.0.1 www.sunbeltsoftware.com
127.0.0.1 www.symantec.com
127.0.0.1 www.symantec.com/updates
127.0.0.1 www.trendmicro.com
127.0.0.1 www.virscan.org
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www.virusscan.jotti.org
127.0.0.1 www.virustotal.com
127.0.0.1 www.windowsupdate.microsoft.com
 
At around the 90% mark with the downloaded version, the system locked up. I bit the bullet and used the Active X version from IE 8. Avast shields disabled prior to run.

Four items identified. Log as follows:

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9e79442f8cc1f34781344975555be3a0
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 10:51:45
# local_time=2011-02-26 03:51:45 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30819859 30819859 0 0
# compatibility_mode=768 16777215 100 0 30810311 30810311 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=871
# found=0
# cleaned=0
# scan_time=18
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9e79442f8cc1f34781344975555be3a0
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 11:35:55
# local_time=2011-02-26 04:35:55 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30819945 30819945 0 0
# compatibility_mode=768 16777215 100 0 30810397 30810397 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149446
# found=4
# cleaned=0
# scan_time=2581
H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\drivers\etc\Copy of hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
 
An update for Avast came in this morning. I scanned the k.dll file reported by ESET, and it identified the a threat with a similar designation, Win32:Bamital-AV [Trj].

A new update for MBAM was obtained, and it did not identify a threat.

I took no action.

EDIT: There has been a small change in behavior. Site redirects are happening less frequently; however, search engine results navigation clicks take much longer to load the page (whether correct or redirected) than loading a page from a shortcut or direct typing.
 
Okay, hopefully you have everything in now:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files  
    H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe 
    H:\WINDOWS\system32\k.dll 
    H:\WINDOWS\system32\drivers\etc\Copy of hosts 
    H:\WINDOWS\system32\drivers\etc\hosts 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
h:\windows\system32\drivers\atinttxx.sys
DDS::
uInternet Connection Wizard,ShellNext = iexplore
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.grisoft.com
Hosts: 127.0.0.1 www.kaspersky.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.microsoft.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.trendmicro.com
Hosts: 127.0.0.1 www.viruslist.com
Hosts: 127.0.0.1 www.virustotal.com
Driver::
TTDec
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Host files:changed by Win32/Fruspam.E also creates a mutex called "Tsek3r1W" to ensure that only one instance of itself is running in memory.

P2P or 'file sharing 'Warning:
uTorrent and LimeWire
Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
==========================================
Please update Java: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
==========================================
Regarding Host files:
I didn't see it posted in the logs supplied thus far
Hijack was noted in DDS log. Reference was made to running Eset to see if it would find a possible cause.
 
Sorry for the delay. Your post caught me en route from work to home. It took a while to run the indicated steps, and I've been having connection issues with TechSpot (ping indicates notable and inconsistent packet loss).

========================================================

OTM ran seemingly without incident, and it required a reboot.

========================================================

CFScript.txt seemed to work. Drag and drop onto the existing Combofix on my desktop (you did not indicate to download a fresh copy). When Combofix ran, it announced an update, I updated and Combofix restarted. It continued until it announced a reboot was necessary and that I should not attempt to restart manually.

I waited approximately 20 minutes after the screen appeared. Hard drive activity was negligible with a very dim flicker no more frequent than about once per ten seconds.

I attempted a manual reboot. No response.
I attempted h:\windows\shutdown.exe -t 0. No response.
ctrl-alt-del functionality was gone, but I could still run cmd.exe from Start->Run

I restarted the computer with a press of the reset button.

Combofix ran upon restart, and it generated a log. That log is attached below.

========================================================

Thank you for the cautions concerning p2p sharing. I am aware of them; however, even the best of us suffer from the careless click from time to time. At least that's what I tell myself when I'm trying to fall asleep at night.

========================================================

Java 6 update 17 uninstalled.

Java 6 update 24 installed.

========================================================

My comments concerning the host file were more aimed at the fact that the logs reported thus far indicated a much shorter list.

I believe I have executed all requested actions and supplied all requested logs.

THERE IS NO IMPROVEMENT IN THE SITUATION. REDIRECTS STILL OCCUR, AND ARE RELATIVELY SLOW TO CONNECT.

Since the c:\windows\system32\k.dll file was identified by ESET as a virus (and now Avast), I right-click scanned k.dll by itself from windows explorer, and it still reports the same virus. I took no action.

Thanks for all your help so far!

========================================================

ComboFix 11-02-28.02 - Steve 02/28/2011 19:57:00.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1548 [GMT -7:00]
Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"h:\windows\system32\drivers\atinttxx.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - h:\windows\system32\winlogon.ex_

h:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TTDEC
-------\Service_TTDec


((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
2011-03-01 03:29 . 2010-06-29 17:48 355056 ----a-w- h:\temp\SSUPDATE.EXE
2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
2011-02-27 16:02 . 2011-02-27 16:02 -------- d-----w- H:\MGtools
2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-27 16:02 . 2011-02-27 16:02 33949 ----a-w- H:\MGlogs.zip
2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . h:\windows\system32\winlogon.exe

[-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . h:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2011-02-28_01.11.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-29 04:35 . 2008-04-14 12:42 65024 h:\windows\system32\dllcache\shimeng.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 64000 h:\windows\system32\dllcache\samlib.dll
+ 2008-03-29 04:35 . 2009-10-12 13:38 79872 h:\windows\system32\dllcache\raschap.dll
- 2009-10-12 13:38 . 2009-10-12 13:38 79872 h:\windows\system32\dllcache\raschap.dll
+ 2008-05-15 13:27 . 2008-04-14 12:42 76800 h:\windows\system32\dllcache\qutil.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 34304 h:\windows\system32\dllcache\pstorsvc.dll
+ 2008-03-28 09:11 . 2008-04-14 07:26 69120 h:\windows\system32\dllcache\psched.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 96768 h:\windows\system32\dllcache\psbase.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 23040 h:\windows\system32\dllcache\psapi.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 27648 h:\windows\system32\dllcache\profmap.dll
+ 2001-08-17 13:48 . 2008-04-14 07:01 35840 h:\windows\system32\dllcache\processr.sys
+ 2008-03-28 09:11 . 2008-04-14 12:42 17408 h:\windows\system32\dllcache\powrprof.dll
- 2009-03-08 11:31 . 2009-03-08 11:31 46592 h:\windows\system32\dllcache\pngfilt.dll
+ 2008-03-29 04:35 . 2009-03-08 11:31 46592 h:\windows\system32\dllcache\pngfilt.dll
+ 2001-08-17 22:36 . 2008-04-14 12:42 15360 h:\windows\system32\dllcache\pjlmon.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 25088 h:\windows\system32\dllcache\perfos.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 26624 h:\windows\system32\dllcache\perfdisk.dll
+ 2001-08-17 13:51 . 2008-04-14 07:10 24960 h:\windows\system32\dllcache\pciidex.sys
+ 2001-08-17 13:58 . 2008-04-14 07:06 68224 h:\windows\system32\dllcache\pci.sys
+ 2008-03-29 04:36 . 2008-04-14 12:42 38400 h:\windows\system32\dllcache\pchsvc.dll
+ 2008-03-28 09:10 . 2008-04-14 07:10 19712 h:\windows\system32\dllcache\partmgr.sys
+ 2001-08-17 13:50 . 2008-04-14 07:10 80128 h:\windows\system32\dllcache\parport.sys
+ 2001-08-17 13:48 . 2008-04-14 07:01 42752 h:\windows\system32\dllcache\p3.sys
+ 2008-03-28 09:11 . 2008-04-14 12:42 67584 h:\windows\system32\dllcache\osuninst.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 84992 h:\windows\system32\dllcache\olepro32.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 37376 h:\windows\system32\dllcache\olecnv32.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 74752 h:\windows\system32\dllcache\olecli32.dll
+ 2008-03-28 09:10 . 2008-04-14 05:56 94208 h:\windows\system32\dllcache\odbcint.dll
+ 2008-03-28 09:10 . 2008-04-14 07:26 88320 h:\windows\system32\dllcache\nwlnkipx.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 44032 h:\windows\system32\dllcache\ntlanman.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 67072 h:\windows\system32\dllcache\ntdsapi.dll
+ 2008-03-28 09:10 . 2008-04-14 07:02 30848 h:\windows\system32\dllcache\npfs.sys
+ 2008-03-28 09:10 . 2008-04-14 07:23 40320 h:\windows\system32\dllcache\nmnt.sys
+ 2001-08-17 13:24 . 2001-08-23 05:00 12032 h:\windows\system32\dllcache\nikedrv.sys
+ 2001-08-17 13:46 . 2008-04-14 07:21 61824 h:\windows\system32\dllcache\nic1394.sys
+ 2008-03-28 09:10 . 2008-04-14 12:42 80896 h:\windows\system32\dllcache\netui0.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 11776 h:\windows\system32\dllcache\netrap.dll
+ 2008-03-28 09:10 . 2008-04-14 07:26 34688 h:\windows\system32\dllcache\netbios.sys
+ 2008-03-28 09:10 . 2010-11-02 15:17 40960 h:\windows\system32\dllcache\ndproxy.sys
- 2010-12-16 01:12 . 2010-11-02 15:17 40960 h:\windows\system32\dllcache\ndproxy.sys
+ 2008-03-28 09:10 . 2008-04-14 07:50 91520 h:\windows\system32\dllcache\ndiswan.sys
+ 2001-08-17 13:53 . 2008-04-14 07:26 14592 h:\windows\system32\dllcache\ndisuio.sys
+ 2008-03-28 09:10 . 2008-04-14 07:27 10112 h:\windows\system32\dllcache\ndistapi.sys
+ 2008-10-10 06:23 . 2008-04-14 07:16 10880 h:\windows\system32\dllcache\ndisip.sys
+ 2008-03-28 09:10 . 2008-04-14 12:42 17920 h:\windows\system32\dllcache\nddeapi.dll
+ 2008-03-29 04:36 . 2008-04-14 12:42 47104 h:\windows\system32\dllcache\ncprov.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 36352 h:\windows\system32\dllcache\ncobjapi.dll
+ 2008-10-10 06:23 . 2008-04-14 07:16 85248 h:\windows\system32\dllcache\nabtsfec.sys
+ 2008-03-29 04:36 . 2008-04-14 07:13 12672 h:\windows\system32\dllcache\mutohpen.sys
- 2008-06-12 14:23 . 2008-06-12 14:23 66560 h:\windows\system32\dllcache\mtxclu.dll
+ 2008-03-28 09:10 . 2008-06-12 14:23 66560 h:\windows\system32\dllcache\mtxclu.dll
+ 2008-03-29 05:44 . 2008-04-14 07:06 15488 h:\windows\system32\dllcache\mssmbios.sys
+ 2008-03-28 09:10 . 2008-04-14 04:53 48128 h:\windows\system32\dllcache\msprivs.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 29696 h:\windows\system32\dllcache\mspatcha.dll
+ 2008-03-28 09:10 . 2008-04-14 07:26 35072 h:\windows\system32\dllcache\msgpc.sys
+ 2008-03-28 09:10 . 2008-04-14 07:02 19072 h:\windows\system32\dllcache\msfs.sys
+ 2008-03-28 09:10 . 2008-04-14 12:42 14336 h:\windows\system32\dllcache\msdmo.dll
- 2008-06-24 16:43 . 2008-06-24 16:43 74240 h:\windows\system32\dllcache\mscms.dll
+ 2008-03-29 04:35 . 2008-06-24 16:43 74240 h:\windows\system32\dllcache\mscms.dll
- 2009-09-04 21:03 . 2009-09-04 21:03 58880 h:\windows\system32\dllcache\msasn1.dll
+ 2008-03-28 09:10 . 2009-09-04 21:03 58880 h:\windows\system32\dllcache\msasn1.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 71680 h:\windows\system32\dllcache\msacm32.dll
+ 2008-03-29 04:36 . 2008-04-14 07:09 92544 h:\windows\system32\dllcache\mqac.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 87040 h:\windows\system32\dllcache\mprapi.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 59904 h:\windows\system32\dllcache\mpr.dll
+ 2008-03-28 09:10 . 2008-04-14 07:09 42368 h:\windows\system32\dllcache\mountmgr.sys
+ 2001-08-17 13:47 . 2008-04-14 07:09 23040 h:\windows\system32\dllcache\mouclass.sys
+ 2001-08-17 13:57 . 2008-04-14 07:30 30080 h:\windows\system32\dllcache\modem.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 18944 h:\windows\system32\dllcache\midimap.dll
+ 2001-08-17 13:58 . 2008-04-14 07:06 63744 h:\windows\system32\dllcache\mf.sys
+ 2008-03-28 09:10 . 2008-04-14 12:42 13312 h:\windows\system32\dllcache\lsass.exe
+ 2008-03-28 09:10 . 2008-04-14 12:41 13824 h:\windows\system32\dllcache\lmhsvc.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 19968 h:\windows\system32\dllcache\linkinfo.dll
+ 2001-08-17 13:47 . 2008-04-14 07:09 24576 h:\windows\system32\dllcache\kbdclass.sys
+ 2008-03-28 09:10 . 2010-12-20 23:59 25600 h:\windows\system32\dllcache\jsproxy.dll
- 2009-03-08 11:33 . 2010-12-20 23:59 25600 h:\windows\system32\dllcache\jsproxy.dll
+ 2008-03-29 05:21 . 2008-04-14 07:06 37248 h:\windows\system32\dllcache\isapnp.sys
+ 2008-03-28 21:03 . 2008-04-14 07:24 11264 h:\windows\system32\dllcache\irenum.sys
+ 2008-03-29 04:36 . 2008-04-14 07:15 46592 h:\windows\system32\dllcache\irbus.sys
+ 2008-03-28 09:10 . 2008-04-14 07:49 75264 h:\windows\system32\dllcache\ipsec.sys
+ 2008-03-28 09:10 . 2008-04-14 07:27 20864 h:\windows\system32\dllcache\ipinip.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 94720 h:\windows\system32\dllcache\iphlpapi.dll
+ 2008-03-29 05:44 . 2008-04-14 07:23 36608 h:\windows\system32\dllcache\ip6fw.sys
+ 2008-03-29 05:44 . 2008-04-14 07:01 36352 h:\windows\system32\dllcache\intelppm.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 75264 h:\windows\system32\dllcache\inetpp.dll
- 2009-03-08 11:31 . 2009-03-08 11:31 34816 h:\windows\system32\dllcache\imgutil.dll
+ 2008-03-29 04:36 . 2009-03-08 11:31 34816 h:\windows\system32\dllcache\imgutil.dll
+ 2008-03-28 09:10 . 2008-04-14 07:11 42112 h:\windows\system32\dllcache\imapi.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 11264 h:\windows\system32\dllcache\icaapi.dll
+ 2001-08-17 22:24 . 2008-04-14 07:48 52480 h:\windows\system32\dllcache\i8042prt.sys
- 2009-10-21 05:38 . 2009-10-21 05:38 25088 h:\windows\system32\dllcache\httpapi.dll
+ 2008-03-29 05:44 . 2009-10-21 05:38 25088 h:\windows\system32\dllcache\httpapi.dll
+ 2001-08-17 14:02 . 2008-04-14 07:15 10368 h:\windows\system32\dllcache\hidusb.sys
+ 2001-08-17 14:02 . 2008-04-14 07:15 24960 h:\windows\system32\dllcache\hidparse.sys
+ 2008-03-29 04:36 . 2008-04-14 07:15 19200 h:\windows\system32\dllcache\hidir.sys
+ 2001-08-17 14:02 . 2008-04-14 07:15 36864 h:\windows\system32\dllcache\hidclass.sys
+ 2008-03-29 05:44 . 2008-04-14 07:16 25600 h:\windows\system32\dllcache\hidbth.sys
+ 2008-03-28 21:05 . 2008-04-14 07:06 20352 h:\windows\system32\dllcache\hidbatt.sys
+ 2001-08-17 22:36 . 2008-04-14 12:41 20992 h:\windows\system32\dllcache\hid.dll
+ 2008-03-29 05:44 . 2008-04-14 07:06 46464 h:\windows\system32\dllcache\gagp30kx.sys
+ 2001-08-17 13:57 . 2001-08-23 05:00 12160 h:\windows\system32\dllcache\fsvga.sys
+ 2001-08-17 13:51 . 2008-04-14 07:10 20480 h:\windows\system32\dllcache\flpydisk.sys
+ 2008-03-28 09:10 . 2008-04-14 07:03 44544 h:\windows\system32\dllcache\fips.sys
+ 2001-08-17 13:51 . 2008-04-14 07:10 27392 h:\windows\system32\dllcache\fdc.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 80384 h:\windows\system32\dllcache\faultrep.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 56320 h:\windows\system32\dllcache\eventlog.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 23040 h:\windows\system32\dllcache\ersvc.dll
+ 2008-05-15 13:27 . 2008-04-14 12:41 40960 h:\windows\system32\dllcache\eappprxy.dll
+ 2008-05-15 13:27 . 2008-04-14 12:41 30720 h:\windows\system32\dllcache\eapolqec.dll
+ 2008-03-28 09:10 . 2008-04-14 07:08 71168 h:\windows\system32\dllcache\dxg.sys
+ 2008-03-28 09:11 . 2008-04-14 12:41 14336 h:\windows\system32\dllcache\drprov.dll
+ 2008-03-29 04:42 . 2008-04-14 07:15 60160 h:\windows\system32\dllcache\drmk.sys
+ 2008-05-15 13:27 . 2008-04-14 12:41 26112 h:\windows\system32\dllcache\dot3api.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 45568 h:\windows\system32\dllcache\dnsrslvr.dll
+ 2008-03-29 04:42 . 2008-04-14 07:15 52864 h:\windows\system32\dllcache\dmusic.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 23552 h:\windows\system32\dllcache\dmserver.dll
+ 2008-03-28 09:10 . 2008-04-14 07:10 14208 h:\windows\system32\dllcache\diskdump.sys
+ 2001-08-17 13:52 . 2008-04-14 07:10 36352 h:\windows\system32\dllcache\disk.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 59904 h:\windows\system32\dllcache\devenum.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 27136 h:\windows\system32\dllcache\ddrawex.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 25088 h:\windows\system32\dllcache\davclnt.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 54272 h:\windows\system32\dllcache\dataclen.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 h:\windows\system32\dllcache\csrsrv.dll
+ 2008-03-28 09:10 . 2010-12-09 14:30 33280 h:\windows\system32\dllcache\csrsrv.dll
+ 2001-08-17 13:48 . 2008-04-14 07:01 36736 h:\windows\system32\dllcache\crusoe.sys
+ 2001-08-17 13:24 . 2001-08-23 05:00 11776 h:\windows\system32\dllcache\cpqdap01.sys
+ 2008-03-28 21:05 . 2008-04-14 07:06 10240 h:\windows\system32\dllcache\compbatt.sys
+ 2008-03-29 04:06 . 2008-04-14 12:41 60416 h:\windows\system32\dllcache\colbact.dll
+ 2001-08-17 22:36 . 2008-04-14 12:41 47104 h:\windows\system32\dllcache\cnbjmon.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 58368 h:\windows\system32\dllcache\clusapi.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 64000 h:\windows\system32\dllcache\cleanmgr.exe
+ 2008-03-28 09:10 . 2008-04-14 07:46 49536 h:\windows\system32\dllcache\classpnp.sys
+ 2008-03-29 05:44 . 2008-04-14 12:41 15423 h:\windows\system32\dllcache\ch7xxnt5.dll
+ 2001-08-17 13:52 . 2008-04-14 07:10 62976 h:\windows\system32\dllcache\cdrom.sys
+ 2008-03-28 09:10 . 2008-04-14 07:44 63744 h:\windows\system32\dllcache\cdfs.sys
+ 2001-08-17 13:52 . 2001-08-23 05:00 18688 h:\windows\system32\dllcache\cdaudio.sys
+ 2008-10-10 06:23 . 2008-04-14 07:16 17024 h:\windows\system32\dllcache\ccdecode.sys
+ 2001-08-17 13:52 . 2001-08-23 05:00 13952 h:\windows\system32\dllcache\cbidf2k.sys
+ 2002-08-29 10:40 . 2008-04-14 12:41 60416 h:\windows\system32\dllcache\cabinet.dll
+ 2008-03-29 05:44 . 2008-04-14 07:16 18944 h:\windows\system32\dllcache\bthusb.sys
+ 2008-03-29 05:44 . 2008-04-14 07:16 36480 h:\windows\system32\dllcache\bthprint.sys
+ 2008-03-29 05:44 . 2008-04-14 07:16 37888 h:\windows\system32\dllcache\bthmodem.sys
+ 2008-03-29 05:44 . 2008-04-14 07:16 17024 h:\windows\system32\dllcache\bthenum.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 77824 h:\windows\system32\dllcache\browser.dll
+ 2008-03-29 04:36 . 2008-04-14 05:33 63488 h:\windows\system32\dllcache\browselc.dll
+ 2008-03-28 09:10 . 2008-04-14 07:23 71552 h:\windows\system32\dllcache\bridge.sys
+ 2008-03-28 21:05 . 2008-04-14 07:06 14208 h:\windows\system32\dllcache\battc.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 29184 h:\windows\system32\dllcache\batmeter.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 52736 h:\windows\system32\dllcache\basesrv.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 62464 h:\windows\system32\dllcache\authz.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 42496 h:\windows\system32\dllcache\audiosrv.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 17279 h:\windows\system32\dllcache\atv10nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 14143 h:\windows\system32\dllcache\atv06nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 25471 h:\windows\system32\dllcache\atv04nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 11359 h:\windows\system32\dllcache\atv02nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 21183 h:\windows\system32\dllcache\atv01nt5.dll
+ 2008-03-28 09:10 . 2008-04-14 07:21 55808 h:\windows\system32\dllcache\atmlane.sys
+ 2008-03-28 09:10 . 2008-04-14 07:21 59904 h:\windows\system32\dllcache\atmarpc.sys
+ 2008-03-29 04:36 . 2009-07-17 19:01 58880 h:\windows\system32\dllcache\atl.dll
- 2009-07-17 19:01 . 2009-07-17 19:01 58880 h:\windows\system32\dllcache\atl.dll
+ 2001-08-17 13:51 . 2008-04-14 07:10 96512 h:\windows\system32\dllcache\atapi.sys
+ 2008-03-28 09:10 . 2008-04-14 07:27 14336 h:\windows\system32\dllcache\asyncmac.sys
+ 2001-08-17 13:46 . 2008-04-14 07:21 60800 h:\windows\system32\dllcache\arp1394.sys
+ 2002-08-29 08:05 . 2008-04-14 07:01 37760 h:\windows\system32\dllcache\amdk7.sys
+ 2001-08-17 13:48 . 2008-04-14 07:01 37376 h:\windows\system32\dllcache\amdk6.sys
+ 2008-03-29 05:44 . 2008-04-14 07:06 43008 h:\windows\system32\dllcache\amdagp.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 17408 h:\windows\system32\dllcache\alrsvc.dll
+ 2008-03-29 05:44 . 2008-04-14 07:06 42752 h:\windows\system32\dllcache\alim1541.sys
+ 2008-03-29 04:36 . 2008-04-14 12:42 44544 h:\windows\system32\dllcache\alg.exe
+ 2008-03-29 05:44 . 2008-04-14 07:06 44928 h:\windows\system32\dllcache\agpcpq.sys
+ 2008-03-29 05:44 . 2008-04-14 07:06 42368 h:\windows\system32\dllcache\agp440.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 98304 h:\windows\system32\dllcache\actxprxy.dll
+ 2001-08-17 13:57 . 2001-08-23 05:00 11648 h:\windows\system32\dllcache\acpiec.sys
+ 2008-03-28 09:11 . 2008-04-14 12:42 5120 h:\windows\system32\dllcache\sfc.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 7680 h:\windows\system32\dllcache\rasadhlp.dll
+ 2001-08-17 13:57 . 2001-08-23 05:00 3456 h:\windows\system32\dllcache\oprghdlr.sys
+ 2008-03-28 09:10 . 2008-04-14 12:42 8192 h:\windows\system32\dllcache\ntlsapi.dll
+ 2008-10-10 06:23 . 2008-04-14 07:09 5504 h:\windows\system32\dllcache\mstee.sys
+ 2008-03-29 04:42 . 2008-04-14 07:09 4992 h:\windows\system32\dllcache\mspqm.sys
+ 2008-03-29 04:42 . 2008-04-14 07:09 5376 h:\windows\system32\dllcache\mspclock.sys
+ 2008-03-29 04:42 . 2008-04-14 07:09 7552 h:\windows\system32\dllcache\mskssrv.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 4608 h:\windows\system32\dllcache\msimg32.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 6656 h:\windows\system32\dllcache\msidle.dll
+ 2008-03-29 04:42 . 2008-04-14 12:41 4096 h:\windows\system32\dllcache\ksuser.dll
+ 2008-03-29 04:42 . 2008-04-14 07:15 2944 h:\windows\system32\dllcache\drmkaud.sys
+ 2008-05-15 13:27 . 2008-04-14 12:41 9216 h:\windows\system32\dllcache\dot3dlg.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 8704 h:\windows\system32\dllcache\dciman32.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 6144 h:\windows\system32\dllcache\csrss.exe
+ 2008-03-28 21:05 . 2001-08-17 13:59 3072 h:\windows\system32\dllcache\audstub.sys
+ 2008-03-29 05:44 . 2008-04-14 12:41 3775 h:\windows\system32\dllcache\adv11nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 3711 h:\windows\system32\dllcache\adv09nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 3135 h:\windows\system32\dllcache\adv08nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 3647 h:\windows\system32\dllcache\adv07nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 3615 h:\windows\system32\dllcache\adv05nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 3967 h:\windows\system32\dllcache\adv02nt5.dll
+ 2008-03-29 05:44 . 2008-04-14 12:41 4255 h:\windows\system32\dllcache\adv01nt5.dll
+ 2008-03-28 09:11 . 2009-12-24 06:59 177664 h:\windows\system32\dllcache\wintrust.dll
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 h:\windows\system32\dllcache\wintrust.dll
- 2008-04-21 06:44 . 2010-12-20 23:59 916480 h:\windows\system32\dllcache\wininet.dll
+ 2008-03-29 04:35 . 2010-12-20 23:59 916480 h:\windows\system32\dllcache\wininet.dll
+ 2008-03-29 04:35 . 2009-03-08 11:34 105984 h:\windows\system32\dllcache\url.dll
- 2009-03-08 11:34 . 2009-03-08 11:34 105984 h:\windows\system32\dllcache\url.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 123392 h:\windows\system32\dllcache\umpnpmgr.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 985088 h:\windows\system32\dllcache\setupapi.dll
- 2008-12-05 06:54 . 2010-06-30 12:31 149504 h:\windows\system32\dllcache\schannel.dll
+ 2008-03-28 09:11 . 2010-06-30 12:31 149504 h:\windows\system32\dllcache\schannel.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 415744 h:\windows\system32\dllcache\samsrv.dll
+ 2008-03-29 04:35 . 2008-04-14 06:07 208384 h:\windows\system32\dllcache\rsaenh.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 433664 h:\windows\system32\dllcache\riched20.dll
+ 2008-03-28 09:11 . 2008-04-14 12:42 237056 h:\windows\system32\dllcache\rasapi32.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 409088 h:\windows\system32\dllcache\qmgr.dll
+ 2008-03-29 04:42 . 2008-04-14 07:49 146048 h:\windows\system32\dllcache\portcls.sys
+ 2001-08-17 13:58 . 2008-04-14 07:06 120192 h:\windows\system32\dllcache\pcmcia.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 713728 h:\windows\system32\dllcache\opengl32.dll
+ 2008-05-15 13:27 . 2008-04-14 12:42 144384 h:\windows\system32\dllcache\onex.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 122880 h:\windows\system32\dllcache\oledlg.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 551936 h:\windows\system32\dllcache\oleaut32.dll
- 2010-11-09 14:52 . 2010-11-09 14:52 249856 h:\windows\system32\dllcache\odbc32.dll
+ 2008-03-29 04:35 . 2010-11-09 14:52 249856 h:\windows\system32\dllcache\odbc32.dll
+ 2008-03-28 09:10 . 2010-12-20 23:59 206848 h:\windows\system32\dllcache\occache.dll
- 2009-03-08 11:34 . 2010-12-20 23:59 206848 h:\windows\system32\dllcache\occache.dll
+ 2008-03-29 04:35 . 2009-10-13 10:30 270336 h:\windows\system32\dllcache\oakley.dll
- 2009-10-13 10:30 . 2009-10-13 10:30 270336 h:\windows\system32\dllcache\oakley.dll
+ 2008-03-29 04:36 . 2008-04-14 07:04 163584 h:\windows\system32\dllcache\nwrdr.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 143360 h:\windows\system32\dllcache\ntshrui.dll
+ 2008-03-29 05:44 . 2004-08-04 05:41 180360 h:\windows\system32\dllcache\ntmtlfax.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 118784 h:\windows\system32\dllcache\ntmarta.dll
+ 2008-03-28 09:10 . 2008-04-14 07:45 574976 h:\windows\system32\dllcache\ntfs.sys
+ 2008-03-28 09:10 . 2010-12-09 15:15 718336 h:\windows\system32\dllcache\ntdll.dll
- 2009-04-16 00:49 . 2010-12-09 15:15 718336 h:\windows\system32\dllcache\ntdll.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 245760 h:\windows\system32\dllcache\netui1.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 198144 h:\windows\system32\dllcache\netman.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 407040 h:\windows\system32\dllcache\netlogon.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 622592 h:\windows\system32\dllcache\netcfgx.dll
+ 2008-03-28 09:10 . 2008-04-14 07:51 162816 h:\windows\system32\dllcache\netbt.sys
- 2008-10-24 00:08 . 2008-10-15 16:34 337408 h:\windows\system32\dllcache\netapi32.dll
+ 2008-03-29 04:35 . 2008-10-15 16:34 337408 h:\windows\system32\dllcache\netapi32.dll
+ 2008-03-28 09:10 . 2008-04-14 07:50 182656 h:\windows\system32\dllcache\ndis.sys
+ 2008-03-28 09:10 . 2008-04-14 07:47 105344 h:\windows\system32\dllcache\mup.sys
+ 2008-03-29 05:44 . 2004-08-04 05:29 452736 h:\windows\system32\dllcache\mtxparhm.sys
+ 2008-03-29 05:44 . 2004-08-04 05:41 126686 h:\windows\system32\dllcache\mtlmnt5.sys
+ 2008-03-28 09:10 . 2008-06-20 17:46 245248 h:\windows\system32\dllcache\mswsock.dll
- 2008-06-20 17:46 . 2008-06-20 17:46 245248 h:\windows\system32\dllcache\mswsock.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 343040 h:\windows\system32\dllcache\msvcrt.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 413696 h:\windows\system32\dllcache\msvcp60.dll
+ 2008-03-28 09:10 . 2009-09-11 14:18 136192 h:\windows\system32\dllcache\msv1_0.dll
- 2009-06-25 08:25 . 2009-09-11 14:18 136192 h:\windows\system32\dllcache\msv1_0.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 116224 h:\windows\system32\dllcache\mstlsapi.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 159232 h:\windows\system32\dllcache\msimtf.dll
+ 2008-03-28 09:10 . 2008-04-14 12:42 997376 h:\windows\system32\dllcache\msgina.dll
+ 2008-03-29 04:35 . 2008-04-14 12:42 297984 h:\windows\system32\dllcache\msctf.dll
+ 2008-03-28 09:10 . 2008-04-14 07:02 180608 h:\windows\system32\dllcache\mrxdav.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 586240 h:\windows\system32\dllcache\mlang.dll
- 2010-10-13 04:31 . 2010-09-18 06:53 974848 h:\windows\system32\dllcache\mfc42.dll
+ 2008-03-28 09:10 . 2010-09-18 06:53 974848 h:\windows\system32\dllcache\mfc42.dll
+ 2008-03-28 09:10 . 2010-12-20 17:26 730112 h:\windows\system32\dllcache\lsasrv.dll
- 2009-04-16 00:49 . 2010-12-20 17:26 730112 h:\windows\system32\dllcache\lsasrv.dll
- 2009-05-07 15:32 . 2009-05-07 15:32 345600 h:\windows\system32\dllcache\localspl.dll
+ 2008-03-28 09:10 . 2009-05-07 15:32 345600 h:\windows\system32\dllcache\localspl.dll
+ 2008-03-29 04:42 . 2008-04-14 07:46 141056 h:\windows\system32\dllcache\ks.sys
+ 2008-03-29 04:42 . 2008-04-14 07:15 172416 h:\windows\system32\dllcache\kmixer.sys
+ 2008-03-28 09:10 . 2009-03-21 14:06 989696 h:\windows\system32\dllcache\kernel32.dll
- 2009-03-21 14:06 . 2009-03-21 14:06 989696 h:\windows\system32\dllcache\kernel32.dll
+ 2008-03-29 04:36 . 2010-12-22 12:34 301568 h:\windows\system32\dllcache\kerberos.dll
- 2009-06-25 08:25 . 2010-12-22 12:34 301568 h:\windows\system32\dllcache\kerberos.dll
+ 2008-03-28 09:10 . 2009-12-09 05:53 726528 h:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53 . 2009-12-09 05:53 726528 h:\windows\system32\dllcache\jscript.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 183808 h:\windows\system32\dllcache\ipsecsvc.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 331264 h:\windows\system32\dllcache\ipnathlp.dll
+ 2008-03-28 09:10 . 2008-04-14 07:27 152832 h:\windows\system32\dllcache\ipnat.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 110080 h:\windows\system32\dllcache\imm32.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 144384 h:\windows\system32\dllcache\imagehlp.dll
- 2009-10-20 16:20 . 2009-10-20 16:20 265728 h:\windows\system32\dllcache\http.sys
+ 2008-03-29 05:44 . 2009-10-20 16:20 265728 h:\windows\system32\dllcache\http.sys
+ 2008-03-29 05:44 . 2004-08-04 05:41 685056 h:\windows\system32\dllcache\hsfcxts2.sys
+ 2008-03-29 05:44 . 2004-08-04 05:41 220032 h:\windows\system32\dllcache\hsfbs2s2.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 344064 h:\windows\system32\dllcache\hnetcfg.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 122880 h:\windows\system32\dllcache\glu32.dll
+ 2008-03-28 09:10 . 2008-10-23 12:36 286720 h:\windows\system32\dllcache\gdi32.dll
- 2008-10-23 12:36 . 2008-10-23 12:36 286720 h:\windows\system32\dllcache\gdi32.dll
+ 2001-08-17 13:52 . 2001-08-23 05:00 125056 h:\windows\system32\dllcache\ftdisk.sys
+ 2008-03-29 04:06 . 2008-04-14 12:41 185344 h:\windows\system32\dllcache\framedyn.dll
+ 2008-03-29 05:44 . 2008-04-14 07:03 129792 h:\windows\system32\dllcache\fltmgr.sys
- 2009-04-16 00:49 . 2009-02-09 12:10 473600 h:\windows\system32\dllcache\fastprox.dll
+ 2008-03-29 04:36 . 2009-02-09 12:10 473600 h:\windows\system32\dllcache\fastprox.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 247808 h:\windows\system32\dllcache\esscli.dll
+ 2008-03-29 04:36 . 2008-07-07 20:26 253952 h:\windows\system32\dllcache\es.dll
- 2008-07-07 20:26 . 2008-07-07 20:26 253952 h:\windows\system32\dllcache\es.dll
+ 2008-05-15 13:27 . 2008-04-14 12:41 126976 h:\windows\system32\dllcache\eappcfg.dll
- 2009-03-08 11:31 . 2009-03-08 11:31 216064 h:\windows\system32\dllcache\dxtrans.dll
+ 2008-03-29 04:36 . 2009-03-08 11:31 216064 h:\windows\system32\dllcache\dxtrans.dll
- 2009-03-08 11:31 . 2009-03-08 11:31 348160 h:\windows\system32\dllcache\dxtmsft.dll
+ 2008-03-29 04:36 . 2009-03-08 11:31 348160 h:\windows\system32\dllcache\dxtmsft.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 367616 h:\windows\system32\dllcache\dsound.dll
+ 2008-03-29 04:36 . 2008-06-20 17:46 147968 h:\windows\system32\dllcache\dnsapi.dll
- 2008-06-20 17:46 . 2008-06-20 17:46 147968 h:\windows\system32\dllcache\dnsapi.dll
+ 2008-03-28 09:10 . 2008-04-14 07:14 153344 h:\windows\system32\dllcache\dmio.sys
+ 2008-03-28 09:10 . 2008-04-14 07:14 799744 h:\windows\system32\dllcache\dmboot.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 126976 h:\windows\system32\dllcache\dhcpcsvc.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 279552 h:\windows\system32\dllcache\ddraw.dll
+ 2002-08-29 10:40 . 2008-04-14 12:41 640000 h:\windows\system32\dllcache\dbghelp.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 326656 h:\windows\system32\dllcache\cscui.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 101888 h:\windows\system32\dllcache\cscdll.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 163840 h:\windows\system32\dllcache\credui.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 792064 h:\windows\system32\dllcache\comres.dll
+ 2008-03-29 04:06 . 2008-04-14 12:41 498688 h:\windows\system32\dllcache\clbcatq.dll
+ 2001-08-17 14:02 . 2001-08-23 05:00 262528 h:\windows\system32\dllcache\cinemst2.sys
+ 2008-03-29 04:36 . 2008-04-14 12:41 194560 h:\windows\system32\dllcache\certcli.dll
+ 2008-03-29 05:44 . 2008-04-14 07:21 101120 h:\windows\system32\dllcache\bthpan.sys
- 2010-04-20 05:30 . 2011-01-07 14:09 290048 h:\windows\system32\dllcache\atmfd.dll
+ 2008-03-28 09:10 . 2011-01-07 14:09 290048 h:\windows\system32\dllcache\atmfd.dll
+ 2009-03-16 20:26 . 2011-01-05 02:59 302080 h:\windows\system32\dllcache\ati2dvag.dll
+ 2009-03-16 19:28 . 2011-01-05 02:22 851968 h:\windows\system32\dllcache\ati2cqag.dll
+ 2008-03-29 04:42 . 2008-04-14 05:09 142592 h:\windows\system32\dllcache\aec.sys
+ 2008-03-29 04:36 . 2009-03-08 11:32 128512 h:\windows\system32\dllcache\advpack.dll
- 2009-03-08 11:32 . 2009-03-08 11:32 128512 h:\windows\system32\dllcache\advpack.dll
- 2009-04-16 00:49 . 2009-02-09 12:10 617472 h:\windows\system32\dllcache\advapi32.dll
+ 2008-03-28 09:10 . 2009-02-09 12:10 617472 h:\windows\system32\dllcache\advapi32.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 143360 h:\windows\system32\dllcache\adsldpc.dll
+ 2008-03-28 09:10 . 2008-04-14 12:41 193536 h:\windows\system32\dllcache\activeds.dll
+ 2001-08-17 13:57 . 2008-04-14 07:06 187776 h:\windows\system32\dllcache\acpi.sys
- 2008-06-26 08:15 . 2010-12-20 23:59 1210880 h:\windows\system32\dllcache\urlmon.dll
+ 2008-03-29 04:35 . 2010-12-20 23:59 1210880 h:\windows\system32\dllcache\urlmon.dll
+ 2008-03-29 04:35 . 2009-07-17 16:22 1435648 h:\windows\system32\dllcache\query.dll
- 2009-07-17 16:22 . 2009-07-17 16:22 1435648 h:\windows\system32\dllcache\query.dll
- 2008-05-07 05:12 . 2010-02-05 18:27 1291776 h:\windows\system32\dllcache\quartz.dll
+ 2008-03-29 04:35 . 2010-02-05 18:27 1291776 h:\windows\system32\dllcache\quartz.dll
- 2010-07-16 12:05 . 2010-07-16 12:05 1288192 h:\windows\system32\dllcache\ole32.dll
+ 2008-03-29 04:35 . 2010-07-16 12:05 1288192 h:\windows\system32\dllcache\ole32.dll
+ 2008-05-16 21:01 . 2008-04-14 05:04 1897408 h:\windows\system32\dllcache\nv4_mini.sys
+ 2008-03-29 04:35 . 2008-04-14 12:42 1703936 h:\windows\system32\dllcache\netshell.dll
+ 2008-03-29 05:44 . 2004-08-04 05:41 1309184 h:\windows\system32\dllcache\mtlstrm.sys
- 2008-11-12 06:11 . 2010-06-14 07:41 1172480 h:\windows\system32\dllcache\msxml3.dll
+ 2008-03-29 04:35 . 2010-06-14 07:41 1172480 h:\windows\system32\dllcache\msxml3.dll
- 2008-05-19 13:33 . 2008-05-19 13:33 4445184 h:\windows\system32\dllcache\msi.dll
+ 2008-03-29 04:35 . 2008-05-19 13:33 4445184 h:\windows\system32\dllcache\msi.dll
- 2008-04-21 06:44 . 2010-12-20 23:59 5961216 h:\windows\system32\dllcache\mshtml.dll
+ 2008-03-29 04:35 . 2010-12-20 23:59 5961216 h:\windows\system32\dllcache\mshtml.dll
+ 2008-03-29 05:44 . 2004-08-04 05:41 1041536 h:\windows\system32\dllcache\hsfdpsp2.sys
+ 2008-03-28 09:10 . 2008-04-14 12:41 1082368 h:\windows\system32\dllcache\esent.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 1267200 h:\windows\system32\dllcache\comsvcs.dll
+ 2008-03-29 04:36 . 2008-04-14 12:41 1025024 h:\windows\system32\dllcache\browseui.dll
+ 2009-03-16 19:53 . 2011-01-05 02:36 2670464 h:\windows\system32\dllcache\ativvaxx.dll
+ 2009-03-16 20:06 . 2011-01-05 02:53 4021984 h:\windows\system32\dllcache\ati3duag.dll
 
CONTINUED
============================================

.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
"Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
"EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
"Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
"avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]

h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
h:\program files\ATI Multimedia\main\launchpd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 11:17 149280 ----a-w- i:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVPrcSrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AboutTime\\AboutTime.exe"=
"e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\eve\\bin\\ExeFile.exe"=
"h:\\Program Files\\DAP\\DAP.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
"h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui

R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-02-28 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-02-28 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-28 20:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1464)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(1648)
h:\windows\system32\WININET.dll
h:\windows\system32\msi.dll
h:\windows\system32\webcheck.dll
h:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\Ati2evxx.exe
h:\program files\Alwil Software\Avast5\AvastSvc.exe
h:\windows\system32\Ati2evxx.exe
h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
i:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
h:\windows\system32\wdfmgr.exe
h:\program files\UGS\UGSLicensing\ugslmd.exe
h:\windows\system32\wscntfy.exe
h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
h:\program files\Motorola\MotoConnectService\MotoConnect.exe
.
**************************************************************************
.
Completion time: 2011-02-28 20:33:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 03:33
ComboFix2.txt 2011-02-28 01:15
ComboFix3.txt 2011-02-26 15:15
ComboFix4.txt 2011-02-25 14:54
ComboFix5.txt 2011-03-01 02:53

Pre-Run: 200,724,099,072 bytes free
Post-Run: 200,709,947,392 bytes free

- - End Of File - - 44DEC926DD9198DF80C40B61BA05A60C
 
Some background on the malware you have/had:

Win32/Bamital Trojan: AKA Backdoor.Win32.Agent.andi, Trojan.Bamital.Gen, Win32/Agent.
Trojan:Win32/Bamital.A is a trojan often installed by other malware. It monitors and modifies Web search queries and displays advertisements. It is triggered when the browser is Internet Explorer, Opera, Firefox, Chrome, or Safari.

Payload: Modifies browsing behavior- patches and redirects some functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements:

Connects to a remote server: May also send and download additional information from other Web servers..
==============================================
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    explorer.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
======================================
Well, you caught my flub on Combofix! I so frequently have it run right after the Eset scan that I just picked up the log you left and added the script! I don't see where I had you run it in the first place and should have uninstalled it, then reinstalled. My bad, but if the script does the job, okay.
=========================================
You are obviously an experienced computer user. So I would like you to visit this site for the MVPS Host file replacement: http://mvps.org/winhelp2002/hosts.htm
You have been doing some things on your own, so see if this download is appropriate for you now.
========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
h:\temp\SSUPDATE.EXE
H:\MGlogs.zip
Folder::
H:\MGtools

FileLook::
h:\windows\system32\k.dll
DirLook::
H:\Temple

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"=-
"8181:TCP"=-
"8181:UDP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
Thank you for the background on the infection.

Am I at significant risk for compromised passwords? This machine is typically used for all sorts of things including financial websites and remote desktop connection to work. As a matter of pure circumstance, none of these actions were taken between suspected infection time and when I first noticed the redirects. Since the redirects, I have consciously avoided passworded functions except where absolutely necessary, e.g., this site.

Concerning the H:\Temple folder, that is my doing. I was using it to process video on my local machine instead of my media server to avoid network bandwidth issues.

Thank you for the MVPS Host file recommendation. Once this matter is resolved, I intend to implement it. I assume it's premature at this point.

Concerning your comments about my experience, thank you, but please don't assume too much. I'm generally regarded as a Guru by my peers, friends, family; however, when it comes to people with very detailed technical knowledge like yourself, I slip quickly into the power user category.... occasionally one with just enough information to be dangerous. I try to recognize this and keep myself reined in.

A prior run of Combofix (before posting on the site) indicated issues with explorer.exe and winlogon.exe. I obtained copies from my wife's computer and placed them in the same folders with the .ex_ extension.

Combofix failed to restart the computer again. I allowed for 10 minutes before attempting to restart. ctrl-alt-del function was not available, screen was black with nothing but the combofix window. Mouse would move, but would not respond to clicks. I forced reboot with the computer reset button. Combofix ran on login and produced the log.

NOTE: I will be away from this computer for several hours. If it is safe to do so, I can connect remotely, but failed restarts with combofix would present an issue. Please advise if I should pursue this.

Syslook and combofix files follow:

SystemLook 04.09.10 by jpshortstuff
Log created at 09:24 on 01/03/2011 by Steve
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
H:\Program Files\DAP\Skins\dap\Explorer.bmp --a---- 5264 bytes [04:54 19/06/2008] [04:54 19/06/2008] 0EF744B1DC357FDE44C78536A8108659
H:\Program Files\Macro Express3\Icons\explorer.ico --a---- 10134 bytes [05:22 09/07/2099] [15:26 30/05/2007] F98A1DBCDCF308B53602393157B9B70E
H:\WINDOWS\explorer.exe --a---- 1033728 bytes [04:36 29/03/2008] [00:12 14/04/2008] E99BE788FBEE60C53F47F1F8CEA2C926
H:\WINDOWS\explorer.ex_ --a---- 1033728 bytes [23:35 27/02/2011] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
H:\WINDOWS\explorer.scf --a---- 80 bytes [09:10 28/03/2008] [05:00 23/08/2001] A3975A7D2C98B30A2AE010754FFB9392
H:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
H:\WINDOWS\Prefetch\EXPLORER.EXE-04FFEABC.pf --a---- 102584 bytes [04:58 11/02/2011] [13:26 01/03/2011] B9B8FC42504253E52EA312AC046DC6E6

-= EOF =-


ComboFix 11-02-28.07 - Steve 03/01/2011 9:36.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -7:00]
Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"H:\MGlogs.zip"
"h:\temp\SSUPDATE.EXE"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

H:\MGlogs.zip
H:\MGtools
h:\mgtools\analyse.exe
h:\mgtools\BamFix.bat
h:\mgtools\bamRCfix.txt
h:\mgtools\chodefix.bat
h:\mgtools\config.reg
h:\mgtools\DisableUAC.reg
h:\mgtools\download.exe
h:\mgtools\EnableUAC.reg
h:\mgtools\ffinfo.txt
h:\mgtools\filelog.txt
h:\mgtools\FindOVL.bat
h:\mgtools\FindRN.bat
h:\mgtools\FixACLS.bat
h:\mgtools\FixBagle.bat
h:\mgtools\fixBagle.reg
h:\mgtools\FixbamRC.bat
h:\mgtools\FixCF.bat
h:\mgtools\fixCF.reg
h:\mgtools\fixChode.reg
h:\mgtools\FixFA.bat
h:\mgtools\fixFA.reg
h:\mgtools\FixPerm.bat
h:\mgtools\FixSBM.bat
h:\mgtools\fixSBM.reg
h:\mgtools\GetDetails.exe
h:\mgtools\GetLogs.Bat
h:\mgtools\GetMBR.bat
h:\mgtools\GetRunKey.bat
h:\mgtools\GetUnKey.txt
h:\mgtools\GetUnKeys.bat
h:\mgtools\grep.exe
h:\mgtools\GRK64.bat
h:\mgtools\hide.reg
h:\mgtools\history.txt
h:\mgtools\HTAfind.bat
h:\mgtools\IEFIX.reg
h:\mgtools\locate.com
h:\mgtools\ltime.exe
h:\mgtools\mbrfix.bat
h:\mgtools\MGclean.bat
h:\mgtools\MiscInfo.bat
h:\mgtools\NwkTst.bat
h:\mgtools\Process.exe
h:\mgtools\ProcessDll.exe
h:\mgtools\Regfix.bat
h:\mgtools\RemMWS.bat
h:\mgtools\RunMB.bat
h:\mgtools\scantime.txt
h:\mgtools\sed.exe
h:\mgtools\ShowNew.bat
h:\mgtools\SN64.bat
h:\mgtools\swreg.exe
h:\mgtools\swwhoami.exe
h:\mgtools\SysBU.bat
h:\mgtools\temp\aedebug.txt
h:\mgtools\temp\cvdrv1.txt
h:\mgtools\temp\cvdrv2.txt
h:\mgtools\temp\cvdrv3.txt
h:\mgtools\temp\ffext.txt
h:\mgtools\temp\GRKflag.log
h:\mgtools\temp\header0.txt
h:\mgtools\temp\HIDDEN1.txt
h:\mgtools\temp\HIDDEN2.txt
h:\mgtools\temp\HIDDEN3.txt
h:\mgtools\temp\HIDDEN4.txt
h:\mgtools\temp\junk.txt
h:\mgtools\temp\NetSvcs.txt
h:\mgtools\temp\SH.txt
h:\mgtools\temp\VSP1\beep.sysmg
h:\mgtools\temp\VSP1\cngaudit.dllmg
h:\mgtools\temp\VSP1\netlogon.dllmg
h:\mgtools\temp\VSP1\scecli.dllmg
h:\mgtools\temp\xcuexpSH.txt
h:\mgtools\temp\xcupolexp.txt
h:\mgtools\temp\xcupolie.txt
h:\mgtools\temp\xcupolsys.txt
h:\mgtools\temp\xcupolwup.txt
h:\mgtools\temp\xlmcpl.txt
h:\mgtools\temp\xmodul.txt
h:\mgtools\temp\xmscfg.txt
h:\mgtools\temp\XPSP2\beep.sysmg
h:\mgtools\temp\XPSP2\eventlog.dllmg
h:\mgtools\temp\XPSP2\netlogon.dllmg
h:\mgtools\temp\XPSP2\scecli.dllmg
h:\mgtools\temp\XPSP3\beep.sysmg
h:\mgtools\temp\XPSP3\eventlog.dllmg
h:\mgtools\temp\XPSP3\netlogon.dllmg
h:\mgtools\temp\XPSP3\scecli.dllmg
h:\mgtools\temp\xrkey01.txt
h:\mgtools\temp\xrkey04.txt
h:\mgtools\temp\xrkey05.txt
h:\mgtools\temp\xrkey06.txt
h:\mgtools\temp\xrkey07.txt
h:\mgtools\temp\xrkey08.txt
h:\mgtools\temp\xrkey09.txt
h:\mgtools\temp\xrkey10.txt
h:\mgtools\temp\xrkey11.txt
h:\mgtools\temp\xrkey12.txt
h:\mgtools\temp\xrnotif.txt
h:\mgtools\temp\xrquery.txt
h:\mgtools\temp\xspawn.txt
h:\mgtools\temp\xspawn2.txt
h:\mgtools\unhide.reg
h:\mgtools\UnKeys.bat
h:\mgtools\UserInfo.bat
h:\mgtools\vfind.exe
h:\mgtools\VunFind.bat
h:\mgtools\zip.exe
h:\temp\SSUPDATE.EXE

Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - h:\system volume information\_restore{9E309AAF-1379-463E-ACC3-0D3107ABAA46}\RP6\A0009729.exe

h:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- h:\windows\system32\k.dll ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 3584
Created time: 2011-02-28 15:29
Modified time: 2008-04-14 12:42
MD5: 91BFC30C7D1AB5891511609C236FFED5
SHA1: 68D919FDDA263864F2D5E6A0573B6D1BF9C665A7

---- Directory of H:\Temple ----

2011-02-27 19:21 . 2011-02-19 18:45 730714112 ----a-w- h:\temple\templegrandin.avi


------- Sigcheck -------

[-] 2008-04-14 . 82753CED43E9FB7CA8E81F2089FFF07B . 507904 . . [5.1.2600.5512] . . h:\windows\system32\winlogon.exe

[-] 2008-04-14 . E99BE788FBEE60C53F47F1F8CEA2C926 . 1033728 . . [6.00.2900.5512] . . h:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2011-03-01_03.30.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-01 03:39 . 2011-03-01 03:39 157472 h:\windows\system32\javaws.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\javaw.exe
- 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\javaw.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\java.exe
- 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\java.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 180224 h:\windows\Installer\84afa.msi
+ 2011-03-01 03:39 . 2011-03-01 03:39 675840 h:\windows\Installer\84aef.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
"Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
"EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
"Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
"avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
h:\program files\ATI Multimedia\main\launchpd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVPrcSrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AboutTime\\AboutTime.exe"=
"e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\eve\\bin\\ExeFile.exe"=
"h:\\Program Files\\DAP\\DAP.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
"h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui

R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-03-01 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-02-28 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-03-01 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - i:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 10:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(2760)
h:\windows\system32\WININET.dll
h:\windows\system32\msi.dll
h:\windows\system32\webcheck.dll
h:\windows\system32\IEFRAME.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\Ati2evxx.exe
h:\program files\Alwil Software\Avast5\AvastSvc.exe
h:\windows\system32\Ati2evxx.exe
h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
h:\windows\system32\wdfmgr.exe
h:\program files\UGS\UGSLicensing\ugslmd.exe
h:\windows\system32\wscntfy.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
h:\program files\Motorola\MotoConnectService\MotoConnect.exe
h:\program files\Java\jre6\bin\javaws.exe
h:\program files\Java\jre6\bin\javaw.exe
.
**************************************************************************
.
Completion time: 2011-03-01 10:11:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 17:11
ComboFix2.txt 2011-03-01 03:33
ComboFix3.txt 2011-02-28 01:15
ComboFix4.txt 2011-02-26 15:15
ComboFix5.txt 2011-03-01 16:34

Pre-Run: 200,503,988,224 bytes free
Post-Run: 200,479,453,184 bytes free

- - End Of File - - A7975D72733F8F8E8A79E2AE28F9A2AF
 
A prior run of Combofix (before posting on the site) indicated issues with explorer.exe and winlogon.exe. I obtained copies from my wife's computer and placed them in the same folders with the .ex_ extension.

FYI: The Bamital malware infected both winlogon.exe and explorer/exe. A better way to handle them would have been to do what I did> look in your system for a good copy of the file and then done FCopy to replace the infected file with a good one. Combofix replaced the infected winlogon.exe file with one from a restore point. I replaced explorer.exe using FCopy.

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code:
File::
h:\windows\system32\k.dll
FCopy::
H:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe | h:\windows\explorer.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
If you are still having the redirects after this, I will have you disable the CD Emulation software as it will sometimes interfere with scans. NOTE: you do not need to do this yet and if you do, I will give you the instructions.
 
Combofix ran as expected with a forced reboot via the reset button. Combofix resumed after reboot and log generated.

Redirects are NOT occurring anymore, and page loads following link clicks are VERY responsive (since they're not looking for a different server! - and Avast shields are still disabled).

I tested with search results from google, yahoo, lycos, altavista and wikipedia as all had redirects previously.

h:\windows\system32\k.dll is still present, and it is still identified as a virus by avast (using right click scan from explorer). I took no action.

h:\windows\system32\drivers\etc\hosts file contains only the localhost entry.

Note that I had no system restore points prior to the infection. I believe the infection may have wiped them, so any files extracted from the restore points might be suspect.

Combofix log follows:


ComboFix 11-02-28.07 - Steve 03/01/2011 18:41:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1485 [GMT -7:00]
Running from: h:\documents and settings\Deb\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Deb\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"h:\windows\system32\k.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\temp\winlogon.dat

Infected copy of h:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - h:\windows\system32\winlogon.ex_

.
--------------- FCopy ---------------

h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe --> h:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.

2099-07-09 05:22 . 2099-07-09 05:22 -------- d-----w- h:\program files\Common Files\Insight Software Solutions
2099-07-09 05:22 . 2008-07-10 03:29 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37 . 2010-11-03 13:43 -------- d-----w- h:\program files\SlySoft
2011-03-02 02:31 . 2010-06-29 17:48 355056 ----a-w- h:\temp\SSUPDATE.EXE
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Common Files\Java
2011-03-01 03:39 . 2011-03-01 03:39 73728 ----a-w- h:\windows\system32\javacpl.cpl
2011-03-01 03:39 . 2011-03-01 03:39 472808 ----a-w- h:\windows\system32\deployJava1.dll
2011-03-01 03:39 . 2011-03-01 03:39 -------- d-----w- h:\program files\Java
2011-03-01 01:42 . 2011-03-01 01:42 -------- d-----w- H:\_OTM
2011-02-28 15:29 . 2008-04-14 12:42 3584 ----a-w- h:\windows\system32\k.dll
2011-02-27 23:35 . 2008-04-14 00:12 507904 ----a-w- h:\windows\system32\winlogon.ex_
2011-02-27 23:35 . 2008-04-14 00:12 1033728 ----a-w- h:\windows\explorer.ex_
2011-02-27 19:19 . 2011-02-27 19:19 33019 ----a-w- h:\windows\system32\CoreAAC-uninstall.exe
2011-02-27 19:18 . 2009-08-12 04:18 497664 ----a-w- h:\windows\system32\ac3filter.acm
2011-02-27 18:32 . 2011-02-27 20:28 -------- d-----w- H:\Temple
2011-02-27 18:29 . 2011-02-27 18:42 -------- d-----w- h:\program files\Avi2Dvd
2011-02-26 19:30 . 2011-02-26 19:30 -------- d-----w- h:\program files\ESET
2011-02-26 16:14 . 2011-02-23 14:56 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52 . 2011-02-26 15:52 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50 . 2011-02-26 15:50 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-25 07:53 . 2011-02-25 07:53 -------- d-----w- h:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2011-02-25 04:37 . 2011-02-25 04:37 -------- d-----w- h:\documents and settings\Deb\Application Data\Malwarebytes
2011-02-25 04:26 . 2010-12-21 01:09 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26 . 2011-02-25 04:26 -------- d-----w- h:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-02-25 04:26 . 2011-02-26 16:12 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-25 04:26 . 2010-12-21 01:08 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-19 13:01 . 2011-02-19 13:01 -------- d-----w- h:\program files\Microsoft.NET
2011-02-18 07:02 . 2011-02-18 07:02 -------- d-----w- H:\AutoCad
2011-02-10 01:10 . 2011-02-10 01:10 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58 . 2011-01-31 04:58 -------- d-----w- h:\program files\Rhinoceros 4.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-08-02 15:01 40648 ----a-w- h:\windows\avastSS.scr
2011-02-23 15:04 . 2010-08-02 15:01 190016 ----a-w- h:\windows\system32\aswBoot.exe
2011-02-23 14:56 . 2010-08-02 15:02 301528 ----a-w- h:\windows\system32\drivers\aswSP.sys
2011-02-23 14:55 . 2010-08-02 15:02 49240 ----a-w- h:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2010-08-02 15:02 102232 ----a-w- h:\windows\system32\drivers\aswmon2.sys
2011-02-23 14:55 . 2010-08-02 15:02 96344 ----a-w- h:\windows\system32\drivers\aswmon.sys
2011-02-23 14:55 . 2010-08-02 15:02 25432 ----a-w- h:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:54 . 2010-08-02 15:02 30680 ----a-w- h:\windows\system32\drivers\aavmker4.sys
2011-02-23 14:54 . 2010-08-02 15:02 19544 ----a-w- h:\windows\system32\drivers\aswFsBlk.sys
2011-02-10 01:10 . 2011-02-10 01:10 12 ----a-w- h:\windows\Fonts\wfonts.key
2011-01-21 14:44 . 2008-03-29 04:35 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-03-28 09:10 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:34 . 2009-03-16 21:33 5656576 ----a-w- h:\windows\system32\drivers\ati2mtag.sys
2011-01-05 03:13 . 2009-03-16 19:35 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11 . 2009-03-16 19:33 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11 . 2009-03-16 20:04 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00 . 2009-03-16 20:27 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59 . 2009-03-16 20:26 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53 . 2009-03-16 20:17 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53 . 2009-03-16 20:06 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46 . 2011-01-27 04:52 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39 . 2009-03-16 20:17 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39 . 2009-03-16 20:16 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39 . 2009-03-16 20:16 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39 . 2009-03-16 20:16 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37 . 2009-03-16 20:15 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36 . 2009-03-16 19:53 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36 . 2009-03-16 20:13 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35 . 2010-04-10 04:02 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31 . 2009-03-16 19:36 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29 . 2009-03-16 19:35 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28 . 2009-03-16 19:34 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28 . 2009-03-16 19:35 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22 . 2009-03-16 19:28 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20 . 2009-03-16 19:40 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2011-01-05 02:19 . 2009-03-16 19:34 53248 ----a-w- h:\windows\system32\drivers\ati2erec.dll
2010-12-31 13:10 . 2008-03-28 09:11 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34 . 2008-03-29 04:36 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2008-03-29 04:35 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59 . 2008-03-29 04:36 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 23:59 . 2008-03-29 04:36 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 17:26 . 2008-03-28 09:10 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2008-03-29 05:44 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15 . 2008-03-28 09:10 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2008-03-28 09:10 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2008-03-28 09:10 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2001-08-17 13:48 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14 . 2010-12-07 19:14 51200 ----a-w- h:\windows\system32\OpenCL.dll
.

------- Sigcheck -------

[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . h:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot_2011-03-01_03.30.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-01 03:39 . 2011-03-01 03:39 157472 h:\windows\system32\javaws.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\javaw.exe
- 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\javaw.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 145184 h:\windows\system32\java.exe
- 2010-02-18 03:44 . 2009-10-11 11:17 145184 h:\windows\system32\java.exe
+ 2011-03-01 03:39 . 2011-03-01 03:39 180224 h:\windows\Installer\84afa.msi
+ 2011-03-01 03:39 . 2011-03-01 03:39 675840 h:\windows\Installer\84aef.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- h:\program files\Alwil Software\Avast5\ashShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="h:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SUPERAntiSpyware"="h:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-25 2423752]
"Google Update"="h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-09 135664]
"EVEMon"="i:\program files\EVEMon\EVEMon.exe" [2011-02-12 1724928]
"Skype"="h:\program files\Skype\Phone\Skype.exe" [2010-12-03 14944136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIARaidUtl"="h:\program files\VIA\RAID\raid_tool.exe" [2009-02-19 4918936]
"AMD_Display"="h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe" [2008-05-05 1449984]
"StartCCC"="h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-05 98304]
"avast"="h:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"SunJavaUpdateSched"="h:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Timex Data Link USB Launcher.lnk - h:\program files\Timex\Data Link USB\DataLinkLauncher.exe [2010-11-19 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "e:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "h:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- h:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\H:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=h:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=h:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-06-10 10:57 136472 ----a-w- h:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-06-10 11:02 904840 ----a-w- i:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 08:04 39792 ----a-w- h:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- h:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-04-06 23:35 247296 ----a-w- h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2008-07-22 20:53 77824 ----a-w- h:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMD_Display]
2008-05-05 16:37 1449984 ----a-w- h:\program files\AMD\AMD Power Monitor\AMD_PwrMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
h:\program files\ATI Multimedia\main\launchpd.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast5]
2011-02-23 15:04 3451496 ----a-w- h:\progra~1\ALWILS~1\Avast5\AvastUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ----a-w- h:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
2005-12-10 14:57 133016 ----a-w- h:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EVEMon]
2011-02-12 20:26 1724928 ----a-w- i:\program files\EVEMon\EVEMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fomine WinPopup]
2002-09-17 04:39 292352 ----a-w- h:\program files\Fomine WinPopup\WinPopup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-12-09 03:45 135664 ------w- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2003-09-01 18:52 376912 -c--a-w- h:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-08-10 17:23 94208 ----a-w- h:\program files\Common Files\Logitech\QCDriver\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 19:50 155648 ----a-w- h:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerBlock]
2010-11-07 05:24 1867888 ----a-w- h:\program files\PeerBlock\peerblock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-09-01 22:57 282624 ----a-w- h:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-02-26 07:03 16125440 ------w- h:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SightSpeed]
2008-11-03 19:02 4789048 ----a-w- h:\program files\SightSpeed\SightSpeed.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 10:04 2879488 ------r- h:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-01-05 04:36 98304 ----a-w- h:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 18:33 288088 ----a-w- h:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55 1326080 ----a-w- i:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-01-13 22:44 37888 ----a-w- h:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LVPrcSrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\AboutTime\\AboutTime.exe"=
"e:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\eve\\bin\\ExeFile.exe"=
"h:\\Program Files\\DAP\\DAP.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"h:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"i:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\UGS\\NX 6.0\\UGII\\ugraf.exe"=
"h:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"h:\\Program Files\\Motorola\\RSD Lite\\SDL.exe"=
"h:\\Program Files\\Skype\\Phone\\Skype.exe"=
"h:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"h:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"h:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009
"8181:TCP"= 8181:TCP:utorrent webui
"8181:UDP"= 8181:UDP:utorrent webui

R0 sptd;sptd;h:\windows\system32\drivers\sptd.sys [5/2/2008 8:16 PM 643072]
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2/26/2011 9:14 AM 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [8/2/2010 8:02 AM 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [8/2/2010 8:02 AM 19544]
R2 MotoConnect Service;MotoConnect Service;h:\program files\Motorola\MotoConnectService\MotoConnectService.exe [6/27/2010 6:26 PM 91392]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\UGS\UGSLicensing\lmgrd.exe [4/22/2008 9:37 AM 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\VIA\RAID\vialogsv.exe [5/20/2009 8:38 PM 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [5/20/2009 10:15 PM 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [5/20/2009 7:19 PM 38656]
R3 pbfilter;pbfilter;h:\program files\PeerBlock\pbfilter.sys [2/25/2010 9:14 PM 19056]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 6:13 AM 135664]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [4/12/2009 10:48 PM 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [6/27/2010 6:27 PM 25856]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [8/15/2010 3:18 PM 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [8/15/2010 3:18 PM 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [12/28/2007 12:57 AM 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [6/27/2010 6:27 PM 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [4/4/2007 9:56 PM 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2/24/2010 6:47 AM 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 RUBotted;Trend Micro RUBotted Service;h:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2/24/2010 6:47 AM 582992]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder

2011-03-02 h:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-03-02 h:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- h:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 13:13]

2011-02-26 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003Core.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-03-02 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-725345543-839522115-1003UA.job
- h:\documents and settings\Deb\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-09 03:45]

2011-02-25 h:\windows\Tasks\{9C117111-5543-41EF-B8BA-B9878B7EE374}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-03-01 h:\windows\Tasks\{B330E9BD-9502-4D89-B3A9-3BB957C35074}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]

2011-03-01 h:\windows\Tasks\{BF62BF1F-BB0E-44D1-97CB-094298049FEB}_STEVE_Steve.job
- h:\windows\system32\mobsync.exe [2008-03-28 12:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\DAP\dapie.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 19:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="h:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
h:\program files\SUPERAntiSpyware\SASWINLO.DLL
h:\windows\system32\WININET.dll
h:\windows\system32\Ati2evxx.dll
h:\windows\system32\atiadlxx.dll
h:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'explorer.exe'(3568)
h:\windows\system32\WININET.dll
h:\windows\system32\msi.dll
h:\windows\system32\ieframe.dll
h:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
h:\windows\system32\Ati2evxx.exe
h:\program files\Alwil Software\Avast5\AvastSvc.exe
h:\windows\system32\Ati2evxx.exe
h:\program files\Common Files\Acronis\Schedule2\schedul2.exe
h:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
h:\windows\system32\wdfmgr.exe
h:\program files\UGS\UGSLicensing\ugslmd.exe
h:\windows\system32\wscntfy.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
h:\program files\Skype\Plugin Manager\skypePM.exe
h:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
h:\program files\Motorola\MotoConnectService\MotoConnect.exe
.
**************************************************************************
.
Completion time: 2011-03-01 19:35:20 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-02 02:35
ComboFix2.txt 2011-03-01 17:11
ComboFix3.txt 2011-03-01 03:33
ComboFix4.txt 2011-02-28 01:15
ComboFix5.txt 2011-03-02 01:39

Pre-Run: 200,441,028,608 bytes free
Post-Run: 200,415,531,008 bytes free

- - End Of File - - 36D287DDC8270A8A09F8876E8456FD16
 
Consider sitting back and letting me review the logs.

As for System Restore: to the best of my knowledge, there isn't any malware that drops or adds restore points.
RP1: 2/24/2011 9:43:15 PM - System Checkpoint> Normal. Set by the systm
RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis> Normal. Restore Point shoud be set before installing a new program.
RP3: 2/26/2011 8:34:02 AM - Restore Operation> done by computer user.
RP4: 2/26/2011 8:48:57 AM - Restore Operation> done by computer user.


System Restore should not be done while cleaning because if an infected restore point is used, it can reinfect the system.

Note that I had no system restore points prior to the infection. I believe the infection may have wiped them, so any files extracted from the restore points might be suspect.

You should have restore points set! The system will usually do this automatically if the system is on. Combofix would not have replaced an infected file with another file.


Why do you continue to try to second guess me?
 
I am in no way trying to second guess you. You present me information, and I reply with what I think may be pertinent feedback. I do not pretend to know better than you, but I do think that you will draw the best conclusion with more accurate information. I seek to provide accurate information. Nothing more.

Concerning system restore, it was active, and prior to the infection, I had restore points - at least system checkpoints. After the infection, I had no system restore points before the date of infection. I will concede that it is possible system restore may have been deactivated prior, but not intentionally as I have utilized system restore on several occasions.

If you prefer that I shut up, I will do so. I am actually just trying to be helpful in providing what I regard as pertinent feedback. From this point forward, I will do exactly as you say and provide responses only when asked direct questions.

Thanks again.
 
I meant to reassure you that I was carefully reviewing all the log entries- nothing more..Since the redirect problem has been resolved, I'd like you to run the Eset online virus scan once more. If it's clean, I will have you remove the cleaning tools we used.
 
"Why do you continue to try to second guess me?" - this does not sound like an attempt to convey reassurance.

Please let me state that I trust your expertise implicitly. All information presented was with the intent of providing you information that may not be reflected in the logs.

I greatly appreciate all your efforts and regret any misunderstanding that may exist between us.

ESET run with the same options in your first reference to ESET. Requested log follows:
=============================================================
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9e79442f8cc1f34781344975555be3a0
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 10:51:45
# local_time=2011-02-26 03:51:45 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30819859 30819859 0 0
# compatibility_mode=768 16777215 100 0 30810311 30810311 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=871
# found=0
# cleaned=0
# scan_time=18
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9e79442f8cc1f34781344975555be3a0
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-26 11:35:55
# local_time=2011-02-26 04:35:55 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 30819945 30819945 0 0
# compatibility_mode=768 16777215 100 0 30810397 30810397 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=149446
# found=4
# cleaned=0
# scan_time=2581
H:\Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\drivers\etc\Copy of hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=9e79442f8cc1f34781344975555be3a0
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-02 07:05:01
# local_time=2011-03-02 12:05:01 (-0700, US Mountain Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 31141175 31141175 0 0
# compatibility_mode=768 16777215 100 0 31131627 31131627 0 0
# compatibility_mode=8192 67108863 100 0 246982 246982 0 0
# scanned=671592
# found=4
# cleaned=0
# scan_time=10697
H:\System Volume Information\_restore{9E309AAF-1379-463E-ACC3-0D3107ABAA46}\RP14\A0012373.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
H:\WINDOWS\system32\k.dll Win32/Bamital.FE trojan (unable to clean) 00000000000000000000000000000000 I
H:\_OTM\MovedFiles\02282011_184221\H_Documents and Settings\Deb\My Documents\Downloads\MGtools.exe probably a variant of Win32/TrojanDropper.Agent.FPPWZRZ trojan (unable to clean) 00000000000000000000000000000000 I
H:\_OTM\MovedFiles\02282011_184221\H_WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
 
Going to have to check for a rootkit! This one entry just won't stay gone!

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Files 
    H:\WINDOWS\system32\k.dll 
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Download catchme.exe ( 137KB ) and save to your desktop.
  • Double click the catchme.exe to run it
  • Click the "Scan" button to start scan
  • Open catchme.log to see results

Copy the log to Notepad, making sure that 'Word Wrap' is unchecked in Format. Then paste the log in your next reply.

catchme is the rootkit/stealth malware scanner that scans for:
  • hidden processes
  • hidden registry keys
  • hidden services
  • hidden files
catchme can also delete, destroy and collect malicious files.
 
All processes killed
========== FILES ==========
File/Folder H:\WINDOWS\system32\k.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: All Users.WINDOWS

User: Deb
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8662114 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 73838537 bytes
->Flash cache emptied: 934 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Steve
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
Session Manager Temp folder emptied: 1167358 bytes
Session Manager Tmp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 44607 bytes

Total Files Cleaned = 80.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 03022011_145837

Files moved on Reboot...

Registry entries deleted on Reboot...

================================================================

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 15:08:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:6a0d5e22
"s1"=dword:9d5ec1f0
"s2"=dword:03819763
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:aa,8f,ac,06,1c,5b,fd,db,b0,0d,bd,9a,b3,09,ac,9c,3c,ba,67,5d,e8,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="H:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:08,28,0e,1b,5e,e9,b7,f8,8a,3b,8a,3c,e8,02,88,32,16,4f,a7,58,63,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,c1,e3,27,43,7e,8c,b9,85,71,3f,ae,c6,1f,b7,36,3d,07,..
"khjeh"=hex:02,dc,6f,47,0a,3e,6f,f3,4f,a5,1a,80,eb,cd,57,bb,b2,a2,0b,f3,1f,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:29,a1,21,25,de,e3,35,30,f1,b8,09,e0,81,26,9c,3f,3d,b2,11,91,04,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:2a,af,75,01,e8,55,4c,d1,67,d0,a7,71,96,7a,df,49,e7,ca,70,7d,f4,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
 
Okay, if you are still having the redirects, I'd like you to disable the CD Emulator (DaemonTools)- it may be interferring with the scans:

DeFogger CD Emulation

To disable CD Emulation programs using DeFogger please perform these steps:
  1. . Please download DeFogger to your desktop.
    Link: http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe
  2. . Once downloaded, double-click on the DeFogger icon to start the tool.
  3. . The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. . If CD Emulation programs are present and have been disabled,

DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
================================
When we have finished doing the scans:
To enable CD Emulation programs using DeFogger please perform these steps:
  1. . Please download DeFogger to your desktop.
  2. . Once downloaded, double-click on the DeFogger icon to start the tool.
  3. . The application window will now appear. You should now click on the Enable button to enable your CD Emulation drivers
  4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. . If CD Emulation programs are present and have been enabled,

DeFogger will now ask you to reboot the machine. Please allow it to do so
by clicking on the OK button.
==================================
If there is any change in the system, please let me know. As for slow loading pages, that is most likely a server issue, not malware.
 
Okay, if you are still having the redirects, I'd like you to disable the CD Emulator (DaemonTools)- it may be interferring with the scans:

Per https://www.techspot.com/vb/post1011027-15.html, "Redirects are NOT occurring anymore, and page loads following link clicks are VERY responsive (since they're not looking for a different server! - and Avast shields are still disabled)."

Do you still wish me to execute the steps pertaining to DeFogger?

If there is any change in the system, please let me know. As for slow loading pages, that is most likely a server issue, not malware.

There have be no adverse changes to the system since my referenced link. Comments concerning slow page loads were exclusively associated with redirects. Since redirects have stopped, browser navigation is very brisk with few exceptions.
 
Okay, skip the Emulator removal.

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have any questions.
 
Thanks again for all your help thus far.

Combofix uninstalled.

OTCleanIt ran, and it required a reboot. Rebooted without incident.

Upon attempting to create a restore point, I was informed that I needed to turn it on. I did not turn it off at any point during this entire process. Is this normal?

I turned it on and created a restore point. When I did so, there were no other restore points available.

Nonetheless, I executed the disk clean up instructions and emptied the recycle bin per your recommendation.

Last question: What turned off my system restore?
 
Status
Not open for further replies.
Back