TechSpot

Google redirect. Hijacked?

By Shaftmonde
Nov 4, 2009
  1. Confession time.
    (Background history)
    I had an old AcdSee 5 Trial program that I only recently installed. It said it would expire in 30 days unless I bought it, so tried to do that, but the link didn't work. So, when Googling I found a 'crack' on offer. (Yes I know - Duh!)
    I thought with Bit Defender on guard checking every file that it would be safe.
    Since then all Google search links are being redirected to dubious sites.
    Looking at other posts and following some of the advice this seems to be a common phenomenon, and very intractable.
    It affects both Firefox, which I use. Also IE.
    System Restore cannot restore from any previous date.
    I've done scans with Bit Defender, SuperAntispyware, Malwarebytes and Combofix.
    And used CCleaner, Advanced SystemCare and HijackThis. (Logs enclosed.)
    Most contents of 'My Documents' are on an external disk, normally disconnected.
    Does anyone know the answer to this without me having to re-install?
    Thanks in advance.
     

    Attached Files:

  2. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Update

    I just noticed that I enclosed the wrong SAS log, an old one.
    So here is the most recent one.
    Should also mention that I once briefly had Limewire installed, (now uninstalled) so any references to it are only vestiges that are now deleted.
     
  3. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Further update.

    Well, after struggling for days on this problem, scanning my comp with every known virus/antimalware recommended on this forum, and coming up clean, I tried another tack.
    I noticed that the problem didn't manifest itself when I tried the Chrome browser, so decided the problem may lie within the Firefox and Internet Explorer browsers themselves.
    Saving the bookmarks to isolate them first, I uninstalled Firefox completely, searched for any references to 'Firefox' or 'Mozilla' and deleted all I could, emptied the recycle bin, restarted, downloaded and installed Firefox afresh.
    Then imported my saved bookmarks and all 'seems' okay now. Google links go where they're supposed to.
    Touch wood, I think I'm up and running.
    It's a simple solution (If it lasts) which may be helpful to others with this problem.
    Thanks for reading this.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You only get absolved for the confession if you remove any and all pirated files- then we will continue support.

    It is best to only follow the steps we have set up for Virus and Malware removal HERE;

    You have run an old version of HijackThis. Pleasse remove v1.9.9 for the system and run v2.0.2 instead. Paste that log into the next reply

    Although you might have seen others instructed to run Combofox, it should not be run unless or until your helper instructs you to and then with guidance.
     
  5. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Bobbye,
    thanks for your reply.
    As I said in my last post everything seems okay now. (and the system is running much faster now)
    I am puzzled as to how I ran an old version of HJT considering I only downloaded it last week. So in the interests of thoroughness I've downloaded and run the 2.0.2 version again.
    I've checked the Google search engines on all my three browsers, Firefox, IE, and Chrome, and everything is fine now.
    (BTW - I never did get that AcdSee thing to work, only malware instead)
    So unless you see anything suspicious in the HJT log I think that's it.
    Thanks,

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:38:28, on 11/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\GFI\GFIBAC~1\GFIHINST.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Launch Manager\OSDCtrl.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\acer\eRecovery\Monitor.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?shva=1#inbox
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
    O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
    O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256584701857
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: GFI Backup 2009 - Home Edition Attendant Service (GFIBckHAtt) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHINST.EXE
    O23 - Service: GFI Backup 2009 - Home Edition Scheduler Service (GFIBckHSched) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
    O23 - Service: Google Update Service (gupdate1ca56935cbf11cc) (gupdate1ca56935cbf11cc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

    --
    End of file - 8826 bytes
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Then wherever you downloaded it from on had the old version. The link in our removal thread has the current version.

    You need to do some cleanup: TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Do NOT use the System Restore feature. The restore points have malware. When the system is clean, I'll have you remove the old restore points and set new clean one.

    Empty the Recycle Bin

    After running TFC, I'd like you to do an online scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I would like to bring your attention to some very old files: All but last are legitimate but should be either updated or removed.

    1997-05-06 04:24 41984 ----a-w- c:\windows\system32\ADIMON.DLL>>> belonging to HeidiĀ®\ from Autodesk, Inc.
    1997-05-06 04:24 447488 ----a-w- c:\windows\system32\HEIDI3.DLL>> Eraser (by Heidi)>> current full release is vEraser 5.8.7 released!
    1997-05-06 04:26 721168 ----a-w- c:\windows\system32\VB40032.DLL>>> Visual Basic 4.0 Runtime Library.
    1997-05-06 04:24 42496 ----a-w- c:\windows\system32\MTSTACK.EXE>>> component of AutoCAD.
    1997-05-06 04:15 7680 ----a-w- c:\windows\system32\ADRESC.DLL>>>> IRichEditSpecialChar Proxy/Stub
    1997-05-06 04:15 267264 ----a-w- c:\windows\system32\ACADFICN.DLL>>> process unindentified, but from Autodesk.
    1997-05-06 04:15 76800 ----a-w- c:\windows\system32\REGACAD.DLL>>> process unidentified, but from Autodesk.
    1997-01-22 15:23 299520 ----a-w- c:\windows\uninst.exe
    >>>> needs to be removed. May belong to BargainBuddy-OR-Adware.W32.AntivirusGoldis-OR- related to KeyKey which is a commercial keylogger. Obviously an uninstaller. should be checked for HJT removal.

    Attach log from Eset online scanner

    Rescan with HijackThis, paste new log in next reply.

    Let me know about the old files. If being used, check for updates. If not being used, I'll have you remove the entries and programs.
     
  7. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Okay,
    ran the TFC, no probs.

    Ran the ESET Nod32
    Log as follows:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=33c69169c547db4394ed1643cf816280
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2009-11-11 09:25:21
    # local_time=2009-11-11 09:25:21 (+0000, GMT Standard Time)
    # country="United Kingdom"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 41307 41307 0 0
    # compatibility_mode=2050 16776869 100 100 3865 251007041 0 0
    # compatibility_mode=8192 67108863 100 0 3923 3923 0 0
    # scanned=88753
    # found=0
    # cleaned=0
    # scan_time=1595

    The old files you mention are likely leftovers from a previous old computer. (I transferred most things indiscriminately when I changed to this laptop) and have now deleted them all, without consequent problems. Recycle bin is empty.

    HijackThis log as follows on next post:
     
  8. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Here's the HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:51:16, on 11/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Acer\eManager\anbmServ.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\PROGRA~1\GFI\GFIBAC~1\GFIHINST.EXE
    C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Launch Manager\OSDCtrl.exe
    C:\Program Files\Launch Manager\HotkeyApp.exe
    C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Launch Manager\Wbutton.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\acer\eRecovery\Monitor.exe
    C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?shva=1#inbox
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
    O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
    O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
    O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
    O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256584701857
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
    O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: GFI Backup 2009 - Home Edition Attendant Service (GFIBckHAtt) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHINST.EXE
    O23 - Service: GFI Backup 2009 - Home Edition Scheduler Service (GFIBckHSched) - GFI Software Ltd. - C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
    O23 - Service: Google Update Service (gupdate1ca56935cbf11cc) (gupdate1ca56935cbf11cc) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
    O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

    --
    End of file - 9343 bytes
    Looking good?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please do a right click > delete on the Combofix file on the desktop.

    Then rescan with Combofix- once more.

    Attach report.

    HijackThis is okay. I want to be sure all the pirated 'stuff' is gone.
     
  10. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    O.K.
    All previous Combofix scans deleted - Fresh Combofix downloaded and run.
    New log attached.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Combofix shows possible rootkit:
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\atapi -> 0x87008170
    Warning: possible MBR rootkit infection !
    user & kernel MBR OK
    Use "Recovery Console" command "fixmbr" to clear infection !

    Or you can attempt to verify by running GMER:

    Please download GMER HERE and save it to your desktop.
    • Double click set up to run gmer.exe
    • Select Rootkit tab
    • Click the "Scan" button.
    • Save the log and include in next reply.
    Warning ! Please, do not select the "Show all" checkbox during the scan.

    The screenshot HERE will show you how the display will come up.
    Please copy the scan result using Copy button> paste to Notepad and attach here.
    Warning ! Please, do not select the "Show all" checkbox during the scan.


    I also noted another block of old processes:


    2004-10-05 17:12 . 2004-10-05 17:12 138430 ----a-w- c:\program files\Readme.rtf
    2004-10-04 18:23 . 2004-10-04 18:23 36864 ----a-w- c:\program files\zlibdll.dll>>> general purpose compression library version
    2004-10-04 18:23 . 2004-10-04 18:23 131072 ----a-w- c:\program files\zip32.dll>>> Threat Alias:Trojan.Win32.Agent.btjv [Kaspersky Lab] 4
    Trojan.Agent!sd6 [PC Tools]
    2004-10-04 18:23 . 2004-10-04 18:23 7168 ----a-w- c:\program files\viewfile.dll>>> viewfile.dll is a process belonging to the File viewer support program .
    2004-10-04 18:23 . 2004-10-04 18:23 271872 ----a-w- c:\program files\viz.dll>>> viewfile
    2004-10-04 18:23 . 2004-10-04 18:23 17408 ----a-w- c:\program files\UIControls.dll>>> User interface control customization (UIControls.dll)
    2004-10-04 18:23 . 2004-10-04 18:23 151552 ----a-w- c:\program files\unzip32.dll
    2004-10-04 18:23 . 2004-10-04 18:23 10752 ----a-w- c:\program files\undomgr.dll
    2004-10-04 18:23 . 2004-10-04 18:23 10240 ----a-w- c:\program files\UndoBody.dll


    It would appear that the program was downloaded and installed 5 years ago but what ouzzles me is that both dates show 2004. It looks like the program is GZip compression library from Autodesk Discreet. I suggest you review tthis and uninstall if not being used.
     
  12. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Thank you Bobbye.
    I've deleted the old 2004 processes - (no probs, all trash from previous computers)
    However, having twice downloaded GMER from two mirrors it will not run. All I get is "GMER has encountered a problem" etc., even in safe mode and without security programs running.
    Then tried fixmbr from recovery console but got so scared at the warning, that I didn't proceed any further.
    Is it safe to do this, or will I lose access to my drives?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Shaftmode, I'm going to ask someone to look at the possible rootkit and see if something else would be appropriate. He might not be available toady, so five us until tomorrow, okay? I'm behind because I wasn't feeling well- now trying to catch up.
     
  14. kritius

    kritius TS Guru Posts: 2,084

    It's not an MBR rootkit.

    Verify that C:\atapi.sys exits.

    Then,

    1. Please download The Avenger by Swandog46 to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

    Code:
    Begin copying here:
    Files to move:
    C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log .


    Then delete the current copy of ComboFix that you have and redownload it, run it and post the log.
     
  15. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Quickie comment:
    Looked for atapi.sys but it was not in C:
    It does however exist in
    C Windows $NtServicePackUninstall$
    C Windows system32 drivers
    C Windows system32 dllcache
    C Windows ERDNT cache
    C Windows ServicePackFile i386
    C Qoobox Quarantine C Windows system32 drivers (as atapi.sys.vir)

    Now going to download the Avanger program. Will report soon.
     
  16. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Log of Avenger: ("Automatically disable any rootkits found" not selected)

    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows XP

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: file "C:\atapi.sys" not found!
    File move operation "C:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" failed!
    Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
    --> the object does not exist


    Completed script processing.

    *******************

    Finished! Terminate.

    Fresh Combofix log to follow soon.
     
  17. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Here's the latest Combofix log.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  19. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Kritius,
    herewith attached the latest Combofix log: (still no sign of atapi.sys at C:)
     
  20. kritius

    kritius TS Guru Posts: 2,084

    We have moved past that.

    Have the redirects stopped?
     
  21. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    Sounds good.
    Yes, no more redirects.
    Am I cured?
     
  22. kritius

    kritius TS Guru Posts: 2,084

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
     
  23. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    OTL log (part 1)
    OTL logfile created on: 17/11/2009 17:30:52 - Run 1
    OTL by OldTimer - Version 3.1.6.0 Folder = C:\Documents and Settings\Tony Collins\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1022.16 Mb Total Physical Memory | 633.95 Mb Available Physical Memory | 62.02% Memory free
    2.40 Gb Paging File | 1.95 Gb Available in Paging File | 81.33% Paging File free
    Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 45.15 Gb Total Space | 30.18 Gb Free Space | 66.83% Space Free | Partition Type: FAT32
    Drive D: | 45.54 Gb Total Space | 42.04 Gb Free Space | 92.32% Space Free | Partition Type: FAT32
    Drive E: | 203.37 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: ACER-684C9A655D
    Current User Name: Tony Collins
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: Off
    Skip Microsoft Files: Off
    File Age = 30 Days
    Output = Minimal

    ========== Processes (SafeList) ==========

    PRC - C:\Documents and Settings\Tony Collins\Desktop\OTL.exe (OldTimer Tools)
    PRC - C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe ()
    PRC - C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe (BitDefender S.R.L.)
    PRC - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe (BitDefender S. R. L.)
    PRC - C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
    PRC - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
    PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    PRC - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe ()
    PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
    PRC - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (BitDefender SRL)
    PRC - C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe (GFI Software Ltd.)
    PRC - C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe (GFI Software Ltd.)
    PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
    PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
    PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
    PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
    PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    PRC - C:\Program Files\acer\eRecovery\Monitor.exe (acer Inc.)
    PRC - C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron)
    PRC - C:\Program Files\Launch Manager\WButton.exe ()
    PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
    PRC - C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
    PRC - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
    PRC - C:\Program Files\Launch Manager\OSDCtrl.exe ()
    PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
    PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
    PRC - C:\Acer\eManager\anbmServ.exe (OSA Technologies Inc.)
    PRC - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
    PRC - C:\Program Files\Launch Manager\Powerkey.exe ()
    PRC - C:\WINDOWS\system32\Crypserv.exe (Kenonic Controls Ltd.)


    ========== Modules (SafeList) ==========

    MOD - C:\Documents and Settings\Tony Collins\Desktop\OTL.exe (OldTimer Tools)
    MOD - C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll (Trusteer Ltd.)
    MOD - C:\Program Files\Trusteer\Rapport\bin\msvcr80.dll (Microsoft Corporation)
    MOD - C:\Program Files\Real\RealPlayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll (RealPlayer)
    MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\system32\mslbui.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\system32\wbem\framedyn.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\system32\SynTPFcs.dll (Synaptics, Inc.)
    MOD - C:\WINDOWS\system32\msvcp71.dll (Microsoft Corporation)
    MOD - C:\WINDOWS\system32\msvcr71.dll (Microsoft Corporation)


    ========== Win32 Services (SafeList) ==========

    SRV - (VSSERV) -- C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe (BitDefender S. R. L.)
    SRV - (RapportMgmtService) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
    SRV - (gupdate1ca56935cbf11cc) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
    SRV - (Autodesk Licensing Service) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe ()
    SRV - (gusvc) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
    SRV - (LIVESRV) -- C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (BitDefender SRL)
    SRV - (scan) -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll (S.C. BitDefender S.R.L)
    SRV - (Adobe LM Service) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe ()
    SRV - (GFIBckHAtt) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHInst.exe (GFI Software Ltd.)
    SRV - (GFIBckHSched) -- C:\Program Files\GFI\GFI Backup 2009 - Home Edition\GFIHSched.exe (GFI Software Ltd.)
    SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
    SRV - (Arrakis3) -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe ()
    SRV - (aawservice) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
    SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)
    SRV - (Irmon) -- C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
    SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)
    SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.)
    SRV - (anbmService) -- C:\Acer\eManager\anbmServ.exe (OSA Technologies Inc.)
    SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
    SRV - (MDM) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
    SRV - (Crypkey License) -- C:\WINDOWS\System32\Crypserv.exe (Kenonic Controls Ltd.)
     
  24. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    (part 2)
    ========== Driver Services (SafeList) ==========

    DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)
    DRV - (RapportPG) -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (Trusteer Ltd.)
    DRV - (RapportKELL) -- C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (Trusteer Ltd.)
    DRV - (bdftdif) -- C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys (BitDefender LLC)
    DRV - (PCANDIS5) -- C:\WINDOWS\system32\PCANDIS5.sys (Printing Communications Assoc., Inc. (PCAUSA))
    DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    DRV - (Trufos) -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys (BitDefender S.R.L.)
    DRV - (BDSelfPr) -- C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys (BitDefender S.R.L.)
    DRV - (bdfsfltr) -- C:\WINDOWS\system32\drivers\bdfsfltr.sys (BitDefender S.R.L. Bucharest, ROMANIA)
    DRV - (bdfm) -- C:\WINDOWS\system32\drivers\bdfm.sys (BitDefender S.R.L. Bucharest, ROMANIA)
    DRV - (Profos) -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys ()
    DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
    DRV - (NSCIRDA) -- C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation)
    DRV - (atapi) -- C:\WINDOWS\system32\DRIVERS\atapi.sys ()
    DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
    DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
    DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
    DRV - (ALCXWDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
    DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
    DRV - (int15.sys) -- C:\Program Files\acer\eRecovery\int15.sys ()
    DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.)
    DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
    DRV - (UBHelper) -- C:\WINDOWS\system32\drivers\UBHelper.sys ()
    DRV - (HSFHWATI) -- C:\WINDOWS\system32\drivers\HSFHWATI.sys (Conexant Systems, Inc.)
    DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
    DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
    DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys (Realtek Semiconductor Corporation )
    DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.)
    DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
    DRV - (AmdK8) -- C:\WINDOWS\system32\drivers\AmdK8.sys (Advanced Micro Devices)
    DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
    DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
    DRV - (a347bus) -- C:\WINDOWS\system32\DRIVERS\a347bus.sys ( )
    DRV - (a347scsi) -- C:\WINDOWS\System32\Drivers\a347scsi.sys ( )
    DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
    DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
    DRV - (Hotkey) -- C:\WINDOWS\system32\drivers\HOTKEY.sys ()
    DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
    DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
    DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
    DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
    DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
    DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
    DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
    DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
    DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
    DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
    DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
    DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
    DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
    DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
    DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
    DRV - (FETNDIS) -- C:\WINDOWS\system32\drivers\fetnd5.sys (VIA Technologies, Inc. )
    DRV - (POWERKEY) -- C:\Program Files\Launch Manager\POWERKEY.SYS ()
    DRV - (SPCA508A) -- C:\WINDOWS\system32\drivers\SPCA508A.SYS (Sunplus Technology Co. LTD.)
    DRV - (NetworkX) -- C:\WINDOWS\system32\ckldrv.sys ()
     
  25. Shaftmonde

    Shaftmonde TS Rookie Topic Starter Posts: 38

    (part 3)
    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?shva=1#inbox
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 70 77 9B 04 AC A4 06 49 BD AE 6D B3 D1 3A 70 B2 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://mail.google.com/mail/?hl=en&zx=u06py5wpbe5w&shva=1#inbox|http://www.telegraph.co.uk/news/?source=refresh|http://www.timesonline.co.uk/tol/news/|http://www.thisiscornwall.co.uk/|http://bnp.org.uk/|http://www.google.co.uk/webhp?sourceid=navclient-ff|http://en.wikipedia.org/wiki/Main_Page|http://www.imdb.com/"
    FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
    FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.11.2
    FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:6.1.20091007W
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {8FFE139B-90A7-4460-A972-9D2738997F6D}:1.6.2
    FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

    FF - HKLM\software\mozilla\Firefox\Extensions\\FFToolbar@bitdefender.com: C:\Program Files\BitDefender\BitDefender 2009\FFToolbar\ [2009/10/26 20:18:04 | 00,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext
    FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/30 19:24:02 | 00,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 15:31:06 | 00,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/06 15:31:06 | 00,000,000 | ---D | M]

    [2009/10/26 04:29:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Extensions
    [2009/11/06 15:31:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
    [2009/11/03 14:31:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Extensions\mozswing@mozswing.org
    [2009/11/06 14:56:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\96seda8b.default\extensions
    [2009/11/06 15:31:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions
    [2009/11/06 20:23:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2009/11/06 15:58:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
    [2009/11/06 15:58:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\{8FFE139B-90A7-4460-A972-9D2738997F6D}
    [2009/11/07 20:26:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\{af5514fc-7603-4cec-9894-f07f3d8672a5}
    [2009/11/06 15:58:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    [2009/11/07 20:26:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Tony Collins\Application Data\Mozilla\Firefox\Profiles\alqhvz6q.default\extensions\staged-xpis
    [2009/11/06 15:31:06 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2009/11/06 15:31:06 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    [2009/11/10 15:03:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    [2009/11/03 03:28:04 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    [2009/11/03 03:28:04 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    [2009/11/12 20:03:10 | 00,065,536 | ---- | M] () -- C:\Program Files\Mozilla Firefox\components\FFComm.dll
    [2009/11/03 03:28:04 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
    [2009/10/11 04:17:28 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
    [2009/11/03 01:42:02 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
    [2009/11/03 01:42:02 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    [2009/11/03 01:42:02 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
    [2009/11/03 01:42:02 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    [2009/11/03 01:42:02 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
    [2009/11/03 01:42:02 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    [2009/11/03 01:42:02 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    [2009/11/03 01:42:02 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...