TechSpot

Google redirect - on every PC in the house

Solved
By merm8fan
Sep 5, 2010
  1. Hello, recently we have encountered redirects to unknown sites upon attempting to follow google search result links. The url will usually actually show the word 'redirect' in it as it sends us off, and the sites we end up at are either other search result pages, or just plain random sites that we are not familiar with.

    I can see from multiple threads here that this can be a common issue, and we have found that the problem is not unique to a single laptop or desktop, but seems to happen on each machine. Browsers vary from firefox to ie and the msn browser.

    Also, the redirect happened from yahoo search results links as well, but we mainly use google, so that has been the most prevalent issue.

    I have followed the 8 steps on this board on the netbook I am currently using, which also suffers from the redirect and has less programs on it than our other PCs to hopefully allow for an easier review of the logs. Said logs are below - pasted as per the extended guidelines:

    ~~~~~~~~~~~~~~~~~~
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4053

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    9/4/2010 11:59:25 PM
    mbam-log-2010-09-04 (23-59-25).txt

    Scan type: Quick scan
    Objects scanned: 110785
    Time elapsed: 5 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ~~~~~~~~~~~~~~~~~~~~
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-09-05 00:22:26
    Windows 5.1.2600 Service Pack 3
    Running: wi1j908i.exe; Driver: C:\DOCUME~1\Mar\LOCALS~1\Temp\pgrirpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA9FC7CD2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA9FC7B8E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA9FC8142]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA9FC806C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA9FC7764]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA9FC7C68]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA9FC76A4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA9FC7708]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA9FC7D88]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA9FC8210]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA9FC7D48]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA9FC7EC8]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA08B620]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA9FD4B9C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA9FD49C0]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA9FD4AFA]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntoskrnl.exe!ObInsertObject 8056DA64 5 Bytes JMP A9FD1F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!NtCreateSection 8056DB66 7 Bytes JMP A9FD49C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 8059056D 7 Bytes JMP A9FD4BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwLoadDriver 805AEDE2 7 Bytes JMP A9FD4AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 805E74E6 5 Bytes JMP A9FD05B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00390002
    IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00390000

    ---- EOF - GMER 1.0.15 ----

    ~~~~~~~~~~~~~~~~~~~
    ***Additional message required for the rest of the logs - please see following post.
     
  2. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    DDS (Ver_10-03-17.01) - FAT32x86
    Run by Mar at 0:50:36.07 on Sun 09/05/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.691 [GMT -6:00]

    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\DOCUME~1\Mar\LOCALS~1\Temp\RtkBtMnt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Mar\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aoa110
    mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aoa110
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aoa110
    uInternet Settings,ProxyOverride = *.local
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [PLFSetL] c:\windows\PLFSetL.exe
    mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
    mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
    mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mar\applic~1\mozilla\firefox\profiles\zkxcevll.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-5-13 165456]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-13 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-6 40384]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-6 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-6 40384]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-11-26 96856]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2010-09-05 06:22:46 146 ----a-w- c:\docume~1\mar\applic~1\wklnhst.dat
    2010-09-05 05:45:50 90112 ----a-w- c:\windows\DUMP2c01.tmp
    2010-07-27 06:30:36 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
    2010-07-17 11:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
    2010-06-28 20:57:34 38848 ----a-w- c:\windows\avastSS.scr
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:06:52 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-23 12:06:52 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2010-06-21 15:27:12 354304 ----a-w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ----a-w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 15:12:58 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
    2010-06-17 15:11:26 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
    2008-11-27 03:22:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2009-04-25 16:37:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042520090426\index.dat

    ============= FINISH: 0:50:55.96 ===============

    ~~~~~~~~~~~~~~~~
    ***Note: DDS 'attach.txt' states the following at the top:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    ***Please advise if this should also be pasted here, and not attached as advised.

    ~~~~~~~~~~~~~~~~

    Thank you in advance for your help! You guys saved me the last time my nephews were here and clicked something they ought not to have. :)

    Marlee
     
  3. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Please update MBA-M and run it again. Post the log.

    =========

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  4. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Attempting to update MBAM results in the following error: MBAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)

    According to a Malwarebytes forum, this can be a DNS issue, which is what I already suspect based on some TechSpot forum threads involving my same redirect issue. Even after uninstalling and re-installing MBAM, the update fails with the same error message.

    As for the ComboFix, here is the log:

    ComboFix 10-09-04.06 - Mar 09/05/2010 15:53:47.1.2 - FAT32x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.573 [GMT -6:00]
    Running from: c:\documents and settings\Mar\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
    .

    2010-09-05 21:36 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-05 21:36 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-20 05:40 . 2010-08-20 05:40 -------- d-----w- c:\program files\Common Files\Java
    2010-08-16 06:02 . 2010-08-16 06:02 503808 ----a-w- c:\documents and settings\Mar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51dab748-n\msvcp71.dll
    2010-08-16 06:02 . 2010-08-16 06:02 499712 ----a-w- c:\documents and settings\Mar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51dab748-n\jmc.dll
    2010-08-16 06:02 . 2010-08-16 06:02 348160 ----a-w- c:\documents and settings\Mar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-51dab748-n\msvcr71.dll
    2010-08-16 06:02 . 2010-08-16 06:02 61440 ----a-w- c:\documents and settings\Mar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2a3d3156-n\decora-sse.dll
    2010-08-16 06:02 . 2010-08-16 06:02 12800 ----a-w- c:\documents and settings\Mar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-2a3d3156-n\decora-d3d.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-09-05 08:35 . 2010-01-13 05:33 284 ----a-w- c:\documents and settings\Mar\Application Data\wklnhst.dat
    2010-09-05 05:45 . 2009-05-14 04:21 90112 ----a-w- c:\windows\DUMP2c01.tmp
    2010-08-30 03:16 . 2010-04-30 07:19 63488 ----a-w- c:\documents and settings\Mar\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-08-30 03:16 . 2010-04-30 07:18 117760 ----a-w- c:\documents and settings\Mar\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-06 06:04 . 2010-08-06 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-07-17 11:00 . 2010-04-16 03:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-06-30 12:31 . 2008-11-27 01:22 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-28 20:57 . 2010-08-06 06:06 38848 ----a-w- c:\windows\avastSS.scr
    2010-06-28 20:57 . 2009-05-14 05:33 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2009-05-14 05:34 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2009-05-14 05:34 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2009-05-14 05:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2009-05-14 05:34 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2009-05-14 05:34 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2009-05-14 05:34 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2009-05-14 05:34 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-24 12:15 . 2008-11-27 01:22 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15 . 2008-11-27 01:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15 . 2008-11-27 01:21 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-06-23 13:44 . 2008-11-27 01:22 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2008-11-27 01:22 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2008-11-27 01:21 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2008-11-27 01:37 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2008-11-27 01:22 1172480 ----a-w- c:\windows\system32\msxml3.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-05 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
    "AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-24 1044480]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
    "PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/13/2009 11:34 PM 165456]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/13/2009 11:34 PM 17744]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [11/26/2008 7:22 PM 96856]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-26 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aoa110
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Mar\Application Data\Mozilla\Firefox\Profiles\zkxcevll.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
    HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
    HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-09-05 15:58
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(760)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(4080)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2010-09-05 16:01:44
    ComboFix-quarantined-files.txt 2010-09-05 22:01

    Pre-Run: 973,197,312 bytes free
    Post-Run: 938,434,560 bytes free

    - - End Of File - - 0903FD1C3AF3FB5733A63E24A91097B0
     
  5. crunchie

    crunchie Malware Helper Posts: 761

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

    ====

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  6. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Thanks again for you help!

    OTL log (part 1):

    OTL logfile created on: 9/5/2010 8:18:21 PM - Run 1
    OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Mar\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,012.00 Mb Total Physical Memory | 607.00 Mb Available Physical Memory | 60.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 7.41 Gb Total Space | 0.72 Gb Free Space | 9.70% Space Free | Partition Type: FAT32
    Drive D: | 7.46 Gb Total Space | 3.93 Gb Free Space | 52.64% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: MARSNETBOOK
    Current User Name: Mar
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Processes (SafeList) ==========

    PRC - [2010/09/05 20:16:50 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\OTL.exe
    PRC - [2010/09/05 16:05:42 | 000,212,992 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Mar\Local Settings\temp\RtkBtMnt.exe
    PRC - [2010/09/04 23:19:50 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    PRC - [2010/06/28 14:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2010/06/28 14:57:16 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2008/05/13 19:14:34 | 000,821,768 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE
    PRC - [2008/04/14 04:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008/02/27 23:00:10 | 000,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe


    ========== Modules (SafeList) ==========

    MOD - [2010/09/05 20:16:50 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\OTL.exe
    MOD - [2008/04/14 04:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
    SRV - [2010/06/28 14:57:16 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
    SRV - [2010/06/28 14:57:16 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
    SRV - [2010/06/28 14:57:16 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- c:\acernb\int15.sys -- (int15.sys)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Mar\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010/06/28 14:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2010/06/28 14:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2010/06/28 14:33:14 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2010/06/28 14:32:46 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2010/06/28 14:32:34 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/06/28 14:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2010/06/10 23:47:00 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2008/08/07 03:14:56 | 000,111,360 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
    DRV - [2008/07/07 18:16:26 | 000,096,856 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jmcr.sys -- (JMCR)
    DRV - [2008/05/20 17:31:26 | 001,312,576 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
    DRV - [2008/05/20 01:53:00 | 004,800,000 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2008/04/24 17:17:10 | 000,225,024 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
    DRV - [2008/04/14 04:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
    DRV - [2008/04/14 04:00:00 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2008/04/14 04:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
    DRV - [2008/04/14 04:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
    DRV - [2008/04/14 04:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
    DRV - [2008/04/14 04:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
    DRV - [2008/04/14 04:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2008/04/14 04:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2008/04/14 04:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2008/04/14 04:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
    DRV - [2008/04/14 04:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
    DRV - [2008/04/14 04:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
    DRV - [2008/04/14 04:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2008/04/14 04:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
    DRV - [2008/04/14 04:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
    DRV - [2008/04/14 04:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
    DRV - [2008/04/14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
    DRV - [2008/04/14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
    DRV - [2008/02/14 21:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
    DRV - [2007/10/01 14:59:46 | 001,769,984 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
    DRV - [2004/12/07 22:10:00 | 000,016,896 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DKbFltr.SYS -- (DKbFltr)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aoa110

    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/05/23 00:21:30 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/05/23 00:21:30 | 000,000,000 | ---D | M]

    [2009/05/23 00:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\Mozilla\Extensions
    [2009/05/23 00:22:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\zkxcevll.default\extensions
    [2010/04/26 23:06:50 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Mar\Application Data\Mozilla\Firefox\Profiles\zkxcevll.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2009/05/23 00:21:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010/04/15 21:54:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2010/08/19 23:39:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

    O1 HOSTS File: ([2008/04/14 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
    O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
    O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
    O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe (sonix)
    O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.109.68.247 213.109.73.249 1.1.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Documents and Settings\Mar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: C:\Documents and Settings\Mar\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2008/11/26 19:39:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
    NetSvcs: WmdmPmSp - File not found
     
  7. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    OTL.txt (Part 2):

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (17183584330711040)

    ========== Files/Folders - Created Within 90 Days ==========

    [2010/09/05 20:16:54 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\OTL.exe
    [2010/09/05 20:08:01 | 000,000,000 | -HSD | C] -- C:\Recycled
    [2010/09/05 15:51:00 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010/09/05 15:51:00 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010/09/05 15:51:00 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010/09/05 15:51:00 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010/09/05 15:50:58 | 000,000,000 | -HSD | C] -- C:\System Volume Information
    [2010/09/05 15:50:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010/09/05 15:50:14 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/09/05 15:36:03 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010/09/05 15:36:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010/09/05 15:22:24 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mar\Desktop\mbam-setup-1.46.exe
    [2010/09/05 01:06:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    [2010/09/04 23:40:39 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\TFC.exe
    [2010/08/29 21:14:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Mar\Recent
    [2010/08/19 23:40:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2010/08/06 00:06:12 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/08/06 00:04:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2010/07/02 20:55:24 | 000,000,000 | ---D | C] -- D:\My Documents\My Google Gadgets
    [2010/07/02 20:55:22 | 000,000,000 | R--D | C] -- D:\My Documents\My Music
    [2010/07/02 20:55:20 | 000,000,000 | R--D | C] -- D:\My Documents\My Pictures
    [2010/07/02 20:55:20 | 000,000,000 | ---D | C] -- D:\My Documents\My Downloads
    [2010/07/02 20:55:20 | 000,000,000 | ---D | C] -- D:\My Documents\MSN Photo Show
    [2010/07/02 20:55:20 | 000,000,000 | ---D | C] -- D:\My Documents\CyberLink
    [2010/07/02 20:55:12 | 000,000,000 | ---D | C] -- D:\My Documents\My Kindle Content
    [2010/07/02 20:55:12 | 000,000,000 | ---D | C] -- D:\My Documents\Downloads
    [2009/04/25 11:47:43 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
    [2009/04/25 11:47:38 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
    [2008/11/26 19:22:12 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\Interop.IWshRuntimeLibrary.dll
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 90 Days ==========

    [2010/09/05 20:16:50 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\OTL.exe
    [2010/09/05 16:10:56 | 000,000,284 | ---- | M] () -- C:\Documents and Settings\Mar\Application Data\wklnhst.dat
    [2010/09/05 16:04:48 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010/09/05 16:03:54 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Mar\ntuser.ini
    [2010/09/05 16:03:52 | 003,670,016 | -H-- | M] () -- C:\Documents and Settings\Mar\NTUSER.DAT
    [2010/09/05 15:58:34 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
    [2010/09/05 15:47:22 | 003,837,097 | R--- | M] () -- C:\Documents and Settings\Mar\Desktop\ComboFix.exe
    [2010/09/05 15:36:08 | 000,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/09/05 15:24:52 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Mar\Desktop\mbam-setup-1.46.exe
    [2010/09/05 02:31:18 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Mar\Desktop\Browser security tips.wps
    [2010/09/05 01:12:52 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010/09/05 00:01:34 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Mar\Desktop\wi1j908i.exe
    [2010/09/04 23:40:30 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mar\Desktop\TFC.exe
    [2010/09/04 23:36:24 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Mar\Desktop\Techspot 8 steps 9_2010.wps
    [2010/08/13 23:30:04 | 000,259,840 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010/08/13 22:49:52 | 000,504,314 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
    [2010/08/13 22:49:52 | 000,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010/08/13 22:49:52 | 000,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010/08/07 01:26:06 | 000,010,752 | ---- | M] () -- C:\Documents and Settings\Mar\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/08/06 00:07:46 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/08/06 00:07:44 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2010/07/19 20:17:58 | 000,000,590 | ---- | M] () -- C:\Documents and Settings\Mar\Desktop\CCleaner.lnk
    [2010/06/28 14:57:34 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
    [2010/06/28 14:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2010/06/28 14:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2010/06/28 14:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2010/06/28 14:33:14 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2010/06/28 14:32:46 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2010/06/28 14:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2010/06/28 14:32:34 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2010/06/28 14:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/09/05 15:51:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010/09/05 15:51:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010/09/05 15:51:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010/09/05 15:51:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010/09/05 15:51:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010/09/05 15:46:02 | 003,837,097 | R--- | C] () -- C:\Documents and Settings\Mar\Desktop\ComboFix.exe
    [2010/09/05 15:36:06 | 000,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/09/05 02:31:16 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\Mar\Desktop\Browser security tips.wps
    [2010/09/05 00:01:34 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Mar\Desktop\wi1j908i.exe
    [2010/09/04 23:36:21 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Mar\Desktop\Techspot 8 steps 9_2010.wps
    [2010/08/06 00:07:45 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2010/01/12 23:33:26 | 000,000,284 | ---- | C] () -- C:\Documents and Settings\Mar\Application Data\wklnhst.dat
    [2009/06/04 21:32:11 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Mar\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/04/25 11:47:43 | 001,769,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
    [2009/04/25 11:47:43 | 000,028,160 | ---- | C] () -- C:\WINDOWS\System32\drivers\sncduvc.sys
    [2009/04/25 11:47:43 | 000,000,036 | ---- | C] () -- C:\WINDOWS\PidList.ini
    [2008/11/26 20:55:50 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2008/11/26 19:53:52 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
    [2008/11/26 19:42:20 | 000,036,404 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
    [2008/11/26 19:35:48 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

    ========== LOP Check ==========

    [2009/04/26 17:13:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2010/08/06 00:04:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
    [2009/04/25 17:30:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\MSNInstaller
    [2009/04/26 22:00:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\Foxit
    [2010/01/12 23:33:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\Template
    [2010/03/08 22:46:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Mar\Application Data\Amazon

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: AGP440.SYS >
    [2008/04/14 04:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\i386\sp3.cab:AGP440.sys
    [2008/04/14 04:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
    [2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\AGP440.SYS
    [2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
    [2008/04/14 00:06:40 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

    < MD5 for: ATAPI.SYS >
    [2008/04/14 04:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\i386\sp3.cab:atapi.sys
    [2008/04/14 04:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
    [2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
    [2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
    [2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
    [2008/04/14 04:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

    < MD5 for: EVENTLOG.DLL >
    [2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
    [2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
    [2008/04/14 04:00:00 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

    < MD5 for: NETLOGON.DLL >
    [2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
    [2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
    [2008/04/14 04:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

    < MD5 for: SCECLI.DLL >
    [2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
    [2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
    [2008/04/14 04:00:00 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

    < %systemroot%\*. /mp /s >

    < %systemroot%\system32\*.dll /lockedfiles >

    < %systemroot%\System32\config\*.sav >
    [2008/11/26 11:30:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2008/11/26 11:30:06 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2008/11/26 11:30:04 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
    < End of report >
     
  8. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    The first part of the OTL.txt paste seems to be held up until a moderator approves...

    Here's the Extras.txt:

    OTL Extras logfile created on: 9/5/2010 8:18:21 PM - Run 1
    OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\Mar\Desktop
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 7.0.5730.13)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,012.00 Mb Total Physical Memory | 607.00 Mb Available Physical Memory | 60.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1000 1500 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 7.41 Gb Total Space | 0.72 Gb Free Space | 9.70% Space Free | Partition Type: FAT32
    Drive D: | 7.46 Gb Total Space | 3.93 Gb Free Space | 52.64% Space Free | Partition Type: FAT32
    E: Drive not present or media not loaded
    F: Drive not present or media not loaded
    G: Drive not present or media not loaded
    H: Drive not present or media not loaded
    I: Drive not present or media not loaded

    Computer Name: MARSNETBOOK
    Current User Name: Mar
    Logged in as Administrator.

    Current Boot Mode: Normal
    Scan Mode: Current user
    Company Name Whitelist: On
    Skip Microsoft Files: On
    File Age = 90 Days
    Output = Standard
    Quick Scan

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
    "{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
    "{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
    "{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller
    "{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 21
    "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros for Acer Driver v7.6.0.224_Foxconn Installation Program
    "{32F66A20-7614-11D4-BD11-00104BD3F987}" = MathPlayer
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Acer Crystal Eye webcam
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
    "{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Amazon Kindle For PC" = Amazon Kindle For PC v1.0
    "avast5" = avast! Free Antivirus
    "CCleaner" = CCleaner
    "Foxit Reader" = Foxit Reader
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "LManager" = Launch Manager
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "SynTPDeinstKey" = Synaptics Pointing Device Driver

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "WinDirStat" = WinDirStat 1.1.2

    ========== Last 10 Event Log Errors ==========

    [ Antivirus Events ]
    Error - 11/7/2009 12:32:18 AM | Computer Name = MARSNETBOOK | Source = avast! | ID = 33554522
    Description =

    [ Application Events ]
    Error - 9/5/2010 12:56:29 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 455
    Description = wuaueng.dll (580) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred
    while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

    Error - 9/5/2010 12:56:41 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 489
    Description = wuauclt (2544) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
    for read only access failed with system error 32 (0x00000020): "The process cannot
    access the file because it is being used by another process. ". The open file
    operation will fail with error -1032 (0xfffffbf8).

    Error - 9/5/2010 12:56:41 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 455
    Description = wuaueng.dll (2544) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
    occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

    Error - 9/5/2010 12:56:51 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 489
    Description = wuauclt (2544) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
    for read only access failed with system error 32 (0x00000020): "The process cannot
    access the file because it is being used by another process. ". The open file
    operation will fail with error -1032 (0xfffffbf8).

    Error - 9/5/2010 12:56:51 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 455
    Description = wuaueng.dll (2544) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
    occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

    Error - 9/5/2010 12:57:02 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 489
    Description = wuauclt (1756) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
    for read only access failed with system error 32 (0x00000020): "The process cannot
    access the file because it is being used by another process. ". The open file
    operation will fail with error -1032 (0xfffffbf8).

    Error - 9/5/2010 12:57:02 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 455
    Description = wuaueng.dll (1756) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
    occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

    Error - 9/5/2010 12:57:12 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 489
    Description = wuauclt (1756) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
    for read only access failed with system error 32 (0x00000020): "The process cannot
    access the file because it is being used by another process. ". The open file
    operation will fail with error -1032 (0xfffffbf8).

    Error - 9/5/2010 12:57:12 AM | Computer Name = MARSNETBOOK | Source = ESENT | ID = 455
    Description = wuaueng.dll (1756) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
    occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

    Error - 9/5/2010 10:07:42 PM | Computer Name = MARSNETBOOK | Source = Application Hang | ID = 1002
    Description = Hanging application OTL.exe, version 3.2.11.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 9/5/2010 2:31:55 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the avast! Web Scanner service.

    Error - 9/5/2010 2:32:00 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053

    Error - 9/5/2010 2:32:14 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the avast! Web Scanner service.

    Error - 9/5/2010 2:32:19 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053

    Error - 9/5/2010 2:32:49 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the avast! Web Scanner service.

    Error - 9/5/2010 2:33:00 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053

    Error - 9/5/2010 2:33:16 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the avast! Mail Scanner service.

    Error - 9/5/2010 2:33:25 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7000
    Description = The avast! Mail Scanner service failed to start due to the following
    error: %%1053

    Error - 9/5/2010 2:33:49 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7011
    Description = Timeout (30000 milliseconds) waiting for a transaction response from
    the avast! Web Scanner service.

    Error - 9/5/2010 2:33:54 AM | Computer Name = MARSNETBOOK | Source = Service Control Manager | ID = 7000
    Description = The avast! Web Scanner service failed to start due to the following
    error: %%1053


    < End of report >
     
  9. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    ESET log:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.17080 (vista_gdr.100616-0452)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=e7334ea873ed75449b6704382459ecb8
    # end=finished
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-09-06 03:15:30
    # local_time=2010-09-05 09:15:30 (-0700, Mountain Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=768 16777215 100 0 40540383 40540383 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=33314
    # found=0
    # cleaned=0
    # scan_time=1745
     
  10. crunchie

    crunchie Malware Helper Posts: 761

    Is the re-direct still active?
     
  11. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Yes, the redirect still happens on every first click of a Google search result link, also yahoo result.

    An additional wrinkle is that many times an entirely new Firefox window will open (not just a new tab) with a url of either search.gugle.com or results.gugle.com, or similar.
     
     
  12. crunchie

    crunchie Malware Helper Posts: 761

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    =======================

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.

    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
     
  13. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Bootkit remover results:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
    Boot sector MD5 is: a29a0ee0cc44a754c05f0d38f7e57cb4

    Size Device Name MBR Status
    --------------------------------------------
    7 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  14. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    TDSSKiller report (part 1)

    2010/09/06 15:37:04.0328 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06
    2010/09/06 15:37:04.0328 ================================================================================
    2010/09/06 15:37:04.0328 SystemInfo:
    2010/09/06 15:37:04.0328
    2010/09/06 15:37:04.0328 OS Version: 5.1.2600 ServicePack: 3.0
    2010/09/06 15:37:04.0328 Product type: Workstation
    2010/09/06 15:37:04.0328 ComputerName: MARSNETBOOK
    2010/09/06 15:37:04.0328 UserName: Mar
    2010/09/06 15:37:04.0328 Windows directory: C:\WINDOWS
    2010/09/06 15:37:04.0328 System windows directory: C:\WINDOWS
    2010/09/06 15:37:04.0328 Processor architecture: Intel x86
    2010/09/06 15:37:04.0328 Number of processors: 2
    2010/09/06 15:37:04.0328 Page size: 0x1000
    2010/09/06 15:37:04.0328 Boot type: Normal boot
    2010/09/06 15:37:04.0328 ================================================================================
    2010/09/06 15:37:05.0265 Initialize success
    2010/09/06 15:37:25.0796 ================================================================================
    2010/09/06 15:37:25.0796 Scan started
    2010/09/06 15:37:25.0796 Mode: Manual;
    2010/09/06 15:37:25.0796 ================================================================================
    2010/09/06 15:37:35.0593 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2010/09/06 15:37:36.0500 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2010/09/06 15:37:37.0093 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/09/06 15:37:37.0421 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/09/06 15:37:37.0593 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2010/09/06 15:37:37.0843 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/09/06 15:37:38.0296 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/09/06 15:37:38.0453 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/09/06 15:37:39.0281 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2010/09/06 15:37:39.0437 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2010/09/06 15:37:39.0843 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2010/09/06 15:37:40.0015 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2010/09/06 15:37:40.0250 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2010/09/06 15:37:40.0437 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2010/09/06 15:37:40.0890 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2010/09/06 15:37:41.0078 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2010/09/06 15:37:41.0625 AR5416 (7cae93fe5511d0c0688cfa56cf241e31) C:\WINDOWS\system32\DRIVERS\athw.sys
    2010/09/06 15:37:41.0843 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2010/09/06 15:37:42.0062 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2010/09/06 15:37:42.0265 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2010/09/06 15:37:42.0765 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2010/09/06 15:37:43.0187 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
    2010/09/06 15:37:43.0328 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
    2010/09/06 15:37:43.0796 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
    2010/09/06 15:37:44.0218 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
    2010/09/06 15:37:44.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/09/06 15:37:44.0593 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/09/06 15:37:45.0234 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/09/06 15:37:45.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/09/06 15:37:45.0859 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/09/06 15:37:46.0140 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2010/09/06 15:37:46.0281 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/09/06 15:37:46.0609 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/09/06 15:37:46.0750 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2010/09/06 15:37:47.0093 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/09/06 15:37:47.0328 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/09/06 15:37:47.0671 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/09/06 15:37:48.0468 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/09/06 15:37:48.0640 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2010/09/06 15:37:48.0984 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/09/06 15:37:49.0218 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2010/09/06 15:37:49.0421 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2010/09/06 15:37:49.0578 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2010/09/06 15:37:49.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/09/06 15:37:50.0078 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
    2010/09/06 15:37:50.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/09/06 15:37:50.0812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/09/06 15:37:51.0031 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/09/06 15:37:51.0296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/09/06 15:37:51.0515 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2010/09/06 15:37:51.0750 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/09/06 15:37:52.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/09/06 15:37:52.0437 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/09/06 15:37:52.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/09/06 15:37:53.0031 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/09/06 15:37:53.0312 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/09/06 15:37:53.0562 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/09/06 15:37:53.0765 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/09/06 15:37:54.0187 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/09/06 15:37:54.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/09/06 15:37:54.0828 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/09/06 15:37:55.0125 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2010/09/06 15:37:55.0359 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/09/06 15:37:55.0546 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2010/09/06 15:37:55.0718 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2010/09/06 15:37:56.0078 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/09/06 15:37:58.0171 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2010/09/06 15:37:58.0812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/09/06 15:37:58.0984 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2010/09/06 15:38:00.0515 IntcAzAudAddService (19afbb8427ce65042599555e578170df) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/09/06 15:38:00.0906 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/09/06 15:38:01.0265 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/09/06 15:38:01.0484 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/09/06 15:38:01.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/09/06 15:38:01.0953 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/09/06 15:38:02.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/09/06 15:38:02.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/09/06 15:38:02.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/09/06 15:38:02.0859 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/09/06 15:38:03.0015 JMCR (da971cfc625d13636e04c405948e9d62) C:\WINDOWS\system32\DRIVERS\jmcr.sys
    2010/09/06 15:38:03.0171 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/09/06 15:38:03.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/09/06 15:38:03.0578 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/09/06 15:38:04.0250 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/09/06 15:38:04.0593 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/09/06 15:38:04.0750 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/09/06 15:38:04.0984 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/09/06 15:38:05.0140 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2010/09/06 15:38:05.0406 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/09/06 15:38:05.0703 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/09/06 15:38:05.0968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/09/06 15:38:06.0296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/09/06 15:38:06.0609 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/09/06 15:38:06.0921 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/09/06 15:38:07.0093 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/09/06 15:38:07.0421 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/09/06 15:38:07.0671 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/09/06 15:38:08.0031 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/09/06 15:38:08.0312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/09/06 15:38:08.0656 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/09/06 15:38:08.0890 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/09/06 15:38:09.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/09/06 15:38:09.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/09/06 15:38:09.0703 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/09/06 15:38:09.0937 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/09/06 15:38:10.0203 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/09/06 15:38:10.0515 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/09/06 15:38:11.0062 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/09/06 15:38:11.0343 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/09/06 15:38:11.0578 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/09/06 15:38:11.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
     
  15. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    TDSSKiller report (part 2)

    2010/09/06 15:38:12.0187 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/09/06 15:38:12.0437 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/09/06 15:38:12.0671 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/09/06 15:38:12.0859 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/09/06 15:38:13.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/09/06 15:38:13.0781 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/09/06 15:38:15.0531 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2010/09/06 15:38:15.0687 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2010/09/06 15:38:16.0031 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/09/06 15:38:16.0296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/09/06 15:38:16.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/09/06 15:38:16.0796 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2010/09/06 15:38:17.0062 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2010/09/06 15:38:17.0234 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2010/09/06 15:38:17.0484 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2010/09/06 15:38:17.0656 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2010/09/06 15:38:17.0906 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/09/06 15:38:18.0171 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/09/06 15:38:18.0453 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/09/06 15:38:18.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/09/06 15:38:19.0000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/09/06 15:38:19.0265 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/09/06 15:38:19.0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/09/06 15:38:19.0812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/09/06 15:38:20.0187 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/09/06 15:38:20.0468 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2010/09/06 15:38:20.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/09/06 15:38:20.0718 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2010/09/06 15:38:21.0125 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2010/09/06 15:38:21.0484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/09/06 15:38:21.0890 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2010/09/06 15:38:22.0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/09/06 15:38:23.0000 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2010/09/06 15:38:23.0375 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/09/06 15:38:24.0218 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
    2010/09/06 15:38:24.0453 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2010/09/06 15:38:24.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/09/06 15:38:25.0015 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/09/06 15:38:25.0296 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/09/06 15:38:25.0687 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/09/06 15:38:25.0875 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/09/06 15:38:26.0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/09/06 15:38:26.0437 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2010/09/06 15:38:26.0609 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2010/09/06 15:38:26.0781 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2010/09/06 15:38:26.0968 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2010/09/06 15:38:27.0156 SynTP (409f7eeb079d6154ccb26a02e6e27844) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2010/09/06 15:38:27.0437 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/09/06 15:38:27.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/09/06 15:38:28.0218 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/09/06 15:38:28.0500 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/09/06 15:38:29.0156 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/09/06 15:38:29.0515 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2010/09/06 15:38:29.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/09/06 15:38:30.0015 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2010/09/06 15:38:30.0421 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/09/06 15:38:30.0875 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/09/06 15:38:31.0171 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/09/06 15:38:31.0484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/09/06 15:38:31.0890 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/09/06 15:38:32.0187 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/09/06 15:38:32.0625 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/09/06 15:38:32.0937 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/09/06 15:38:33.0140 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2010/09/06 15:38:33.0437 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2010/09/06 15:38:33.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/09/06 15:38:34.0140 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/09/06 15:38:34.0875 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/09/06 15:38:35.0375 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2010/09/06 15:38:35.0812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/09/06 15:38:36.0031 ================================================================================
    2010/09/06 15:38:36.0031 Scan finished
    2010/09/06 15:38:36.0031 ================================================================================
     
  16. crunchie

    crunchie Malware Helper Posts: 761

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.

    ==

    After a reboot, see how it is and let me know please.
     
  17. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Fix.bat opens, but then pops an error

    double-clicking fix.bat opens the black box as advised, but then pops the following error:

    Windows cannot find 'remover.exe'. Make sure you typed the name correctly and then try again. To search for a file, click the Start button, and then click Search.

    If this is referring to the bootkit remover from your earlier post, the one it unzipped to my desktop is called bootkit_remover.exe, and not simply remover.exe. Could that be a factor?

    Thanks again!
     
  18. crunchie

    crunchie Malware Helper Posts: 761

    Did you save bootkit remover to your desktop? Is it still there? If it is physically there, there should be no problem.
    Try again and if it still does not work, please do the following:

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  19. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Re-trying fix.bat still produces the same error message.

    MBRCheck log:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 161):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7BA7000 \WINDOWS\system32\KDCOM.DLL
    0xF7AB7000 \WINDOWS\system32\BOOTVID.dll
    0xF7658000 ACPI.sys
    0xF7BA9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7647000 pci.sys
    0xF76A7000 isapnp.sys
    0xF7ABB000 compbatt.sys
    0xF7ABF000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7C6F000 pciide.sys
    0xF7927000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7BAB000 aliide.sys
    0xF7BAD000 cmdide.sys
    0xF7BAF000 toside.sys
    0xF7BB1000 viaide.sys
    0xF7BB3000 intelide.sys
    0xF76B7000 MountMgr.sys
    0xF7628000 ftdisk.sys
    0xF7AC3000 ACPIEC.sys
    0xF7C70000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF792F000 PartMgr.sys
    0xF76C7000 VolSnap.sys
    0xF7AC7000 cpqarray.sys
    0xF7610000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF75F8000 atapi.sys
    0xF7ACB000 aha154x.sys
    0xF7937000 sparrow.sys
    0xF7ACF000 symc810.sys
    0xF76D7000 aic78xx.sys
    0xF7AD3000 dac960nt.sys
    0xF76E7000 ql10wnt.sys
    0xF7AD7000 amsint.sys
    0xF793F000 asc.sys
    0xF7ADB000 asc3550.sys
    0xF7947000 mraid35x.sys
    0xF794F000 i2omp.sys
    0xF7ADF000 ini910u.sys
    0xF76F7000 ql1240.sys
    0xF7707000 aic78u2.sys
    0xF7957000 symc8xx.sys
    0xF795F000 sym_hi.sys
    0xF7967000 sym_u3.sys
    0xF796F000 ABP480N5.SYS
    0xF7977000 asc3350p.sys
    0xF7BB5000 cd20xrnt.sys
    0xF7717000 ultra.sys
    0xF75DF000 adpu160m.sys
    0xF797F000 dpti2o.sys
    0xF7727000 ql1080.sys
    0xF7737000 ql1280.sys
    0xF7747000 ql12160.sys
    0xF7987000 perc2.sys
    0xF7BB7000 perc2hib.sys
    0xF798F000 hpn.sys
    0xF7AE3000 cbidf2k.sys
    0xF75B3000 dac2w2k.sys
    0xF7757000 disk.sys
    0xF7767000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7593000 fltMgr.sys
    0xF7581000 sr.sys
    0xF755D000 Fastfat.sys
    0xF7546000 KSecDD.sys
    0xF7519000 NDIS.sys
    0xF7777000 sisagp.sys
    0xF7787000 viaagp.sys
    0xF74FF000 Mup.sys
    0xF7797000 alim1541.sys
    0xF77A7000 amdagp.sys
    0xF77B7000 agp440.sys
    0xF77C7000 agpCPQ.sys
    0xF77E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7B63000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF6E37000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF6E23000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6DFB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6DDF000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xF6DC8000 \SystemRoot\system32\DRIVERS\jmcr.sys
    0xF79FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6DA4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A07000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7A0F000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0xF7A17000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF6D6D000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7BB9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7A1F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7B67000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7CDE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B6B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6D56000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7827000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A27000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6D45000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7837000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7A2F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7A37000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7847000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BBB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6D22000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6CC4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B73000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7857000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7877000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
    0xF7887000 \SystemRoot\system32\drivers\drmk.sys
    0xF7496000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7BBF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D45000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BC1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7A77000 \SystemRoot\System32\drivers\vga.sys
    0xF7BC3000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BC5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A7F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A87000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7492000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA16C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA113000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF78A7000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xAA0ED000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF78B7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAA0C5000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xAA0A3000 \SystemRoot\System32\drivers\afd.sys
    0xF78C7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAA081000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xF7A8F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xAA056000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9FE6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF78F7000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA9FBF000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF7A9F000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xA9DE6000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0xF7917000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF7AA7000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0xA9DCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BC9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA22F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7AAF000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D27000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7AF3000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA9CAA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA9B0F000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA98B2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA989D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9AFF000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA9486000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA90AD000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAA1BF000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xA8C9C000 \SystemRoot\system32\DRIVERS\athw.sys
    0xA8BD1000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\System32\ntdll.dll

    Processes (total 38):
    0 System Idle Process
    4 System
    620 C:\WINDOWS\System32\smss.exe
    680 csrss.exe
    704 C:\WINDOWS\System32\winlogon.exe
    748 C:\WINDOWS\System32\services.exe
    760 C:\WINDOWS\System32\lsass.exe
    928 C:\WINDOWS\System32\svchost.exe
    1012 svchost.exe
    1072 C:\WINDOWS\System32\svchost.exe
    1128 svchost.exe
    1220 svchost.exe
    1316 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1528 C:\WINDOWS\System32\spoolsv.exe
    1708 svchost.exe
    1720 C:\WINDOWS\Explorer.EXE
    1920 C:\WINDOWS\RTHDCPL.EXE
    1936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1964 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1988 C:\Program Files\Bonjour\mDNSResponder.exe
    1996 C:\Program Files\Launch Manager\QtZgAcer.EXE
    116 C:\Program Files\Java\jre6\bin\jqs.exe
    220 C:\Program Files\iTunes\iTunesHelper.exe
    240 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    336 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    416 C:\WINDOWS\System32\svchost.exe
    464 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    524 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    664 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    1180 C:\WINDOWS\System32\igfxext.exe
    1540 C:\WINDOWS\System32\igfxsrvc.exe
    2456 C:\Documents and Settings\Mar\Local Settings\Temp\RtkBtMnt.exe
    2532 C:\Program Files\iPod\bin\iPodService.exe
    2648 alg.exe
    1060 C:\WINDOWS\System32\ctfmon.exe
    3648 C:\Program Files\Mozilla Firefox\firefox.exe
    1276 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2424 C:\Documents and Settings\Mar\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (FAT32)

    PhysicalDrive0 Model Number: SSDPAMM0008G1, Rev: Ver2.I0K

    Size Device Name MBR Status
    --------------------------------------------
    7 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 00DA077E92625BC67BBA239DB4218A4A12648922


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  20. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Sorry - to directly answer your question: yes, I did save bootkit remover to the desktop. Screenshot of desktop is attached.
     

    Attached Files:

  21. crunchie

    crunchie Malware Helper Posts: 761

    Run MBRCheck again.

    When it's done you'll see the following line:
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Press the Y key and then press Enter

    When the program asks you to Enter your choice, enter 2 and press the Enter key.

    Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
    Enter 0 (zero) and press the Enter key.

    Next the program will show Available MBR codes:, followed by a list of operating systems.
    Please enter 1 for Windows XP, and then press Enter.

    Next the program will prompt for confirmation.
    Type YES and hit Enter.

    When it's done there should be a text file with the results on your desktop.
    Please copy and paste it back here.

    Then reboot and run MBRCheck again and post that log.
     
  22. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 160):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7BA7000 \WINDOWS\system32\KDCOM.DLL
    0xF7AB7000 \WINDOWS\system32\BOOTVID.dll
    0xF7658000 ACPI.sys
    0xF7BA9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7647000 pci.sys
    0xF76A7000 isapnp.sys
    0xF7ABB000 compbatt.sys
    0xF7ABF000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7C6F000 pciide.sys
    0xF7927000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7BAB000 aliide.sys
    0xF7BAD000 cmdide.sys
    0xF7BAF000 toside.sys
    0xF7BB1000 viaide.sys
    0xF7BB3000 intelide.sys
    0xF76B7000 MountMgr.sys
    0xF7628000 ftdisk.sys
    0xF7AC3000 ACPIEC.sys
    0xF7C70000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF792F000 PartMgr.sys
    0xF76C7000 VolSnap.sys
    0xF7AC7000 cpqarray.sys
    0xF7610000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF75F8000 atapi.sys
    0xF7ACB000 aha154x.sys
    0xF7937000 sparrow.sys
    0xF7ACF000 symc810.sys
    0xF76D7000 aic78xx.sys
    0xF7AD3000 dac960nt.sys
    0xF76E7000 ql10wnt.sys
    0xF7AD7000 amsint.sys
    0xF793F000 asc.sys
    0xF7ADB000 asc3550.sys
    0xF7947000 mraid35x.sys
    0xF794F000 i2omp.sys
    0xF7ADF000 ini910u.sys
    0xF76F7000 ql1240.sys
    0xF7707000 aic78u2.sys
    0xF7957000 symc8xx.sys
    0xF795F000 sym_hi.sys
    0xF7967000 sym_u3.sys
    0xF796F000 ABP480N5.SYS
    0xF7977000 asc3350p.sys
    0xF7BB5000 cd20xrnt.sys
    0xF7717000 ultra.sys
    0xF75DF000 adpu160m.sys
    0xF797F000 dpti2o.sys
    0xF7727000 ql1080.sys
    0xF7737000 ql1280.sys
    0xF7747000 ql12160.sys
    0xF7987000 perc2.sys
    0xF7BB7000 perc2hib.sys
    0xF798F000 hpn.sys
    0xF7AE3000 cbidf2k.sys
    0xF75B3000 dac2w2k.sys
    0xF7757000 disk.sys
    0xF7767000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7593000 fltMgr.sys
    0xF7581000 sr.sys
    0xF755D000 Fastfat.sys
    0xF7546000 KSecDD.sys
    0xF7519000 NDIS.sys
    0xF7777000 sisagp.sys
    0xF7787000 viaagp.sys
    0xF74FF000 Mup.sys
    0xF7797000 alim1541.sys
    0xF77A7000 amdagp.sys
    0xF77B7000 agp440.sys
    0xF77C7000 agpCPQ.sys
    0xF77E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7B63000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF6E37000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF6E23000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6DFB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6DDF000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xF6DC8000 \SystemRoot\system32\DRIVERS\jmcr.sys
    0xF79FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6DA4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A07000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7A0F000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0xF7A17000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF6D6D000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7BB9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7A1F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7B67000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7CDE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B6B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6D56000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7827000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A27000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6D45000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7837000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7A2F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7A37000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7847000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BBB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6D22000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6CC4000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B73000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7857000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7877000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
    0xF7887000 \SystemRoot\system32\drivers\drmk.sys
    0xF7496000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7BBF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D45000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BC1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7A77000 \SystemRoot\System32\drivers\vga.sys
    0xF7BC3000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BC5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A7F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A87000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7492000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA16C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA113000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF78A7000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xAA0ED000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF78B7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAA0C5000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xAA0A3000 \SystemRoot\System32\drivers\afd.sys
    0xF78C7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAA081000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xF7A8F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xAA056000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9FE6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF78F7000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA9FBF000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF7A9F000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xA9DE6000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0xF7917000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF7AA7000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0xA9DCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BC9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA22F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7AAF000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D27000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF7AF3000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA9CAA000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA9B0F000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA98B2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA989D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9AFF000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA9486000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA90AD000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAA1BF000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xA8C9C000 \SystemRoot\system32\DRIVERS\athw.sys
    0x7C900000 \WINDOWS\System32\ntdll.dll

    Processes (total 38):
    0 System Idle Process
    4 System
    620 C:\WINDOWS\System32\smss.exe
    680 csrss.exe
    704 C:\WINDOWS\System32\winlogon.exe
    748 C:\WINDOWS\System32\services.exe
    760 C:\WINDOWS\System32\lsass.exe
    928 C:\WINDOWS\System32\svchost.exe
    1012 svchost.exe
    1072 C:\WINDOWS\System32\svchost.exe
    1128 svchost.exe
    1220 svchost.exe
    1316 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1528 C:\WINDOWS\System32\spoolsv.exe
    1708 svchost.exe
    1720 C:\WINDOWS\Explorer.EXE
    1920 C:\WINDOWS\RTHDCPL.EXE
    1936 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    1964 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1988 C:\Program Files\Bonjour\mDNSResponder.exe
    1996 C:\Program Files\Launch Manager\QtZgAcer.EXE
    116 C:\Program Files\Java\jre6\bin\jqs.exe
    220 C:\Program Files\iTunes\iTunesHelper.exe
    240 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    336 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    416 C:\WINDOWS\System32\svchost.exe
    464 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    524 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    664 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    1180 C:\WINDOWS\System32\igfxext.exe
    1540 C:\WINDOWS\System32\igfxsrvc.exe
    2456 C:\Documents and Settings\Mar\Local Settings\Temp\RtkBtMnt.exe
    2532 C:\Program Files\iPod\bin\iPodService.exe
    2648 alg.exe
    1060 C:\WINDOWS\System32\ctfmon.exe
    3648 C:\Program Files\Mozilla Firefox\firefox.exe
    1276 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2264 C:\Documents and Settings\Mar\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (FAT32)

    PhysicalDrive0 Model Number: SSDPAMM0008G1, Rev: Ver2.I0K

    Size Device Name MBR Status
    --------------------------------------------
    7 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 00DA077E92625BC67BBA239DB4218A4A12648922


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 0Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive: 1
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: YES
    Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.


    Done!
     
  23. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    Looks like the same MBR response after the 'fix' and restart. I do still have the prompt open if you would like me to go through the 'Y' steps again.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 160):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806FF000 \WINDOWS\system32\hal.dll
    0xF7BA7000 \WINDOWS\system32\KDCOM.DLL
    0xF7AB7000 \WINDOWS\system32\BOOTVID.dll
    0xF7658000 ACPI.sys
    0xF7BA9000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7647000 pci.sys
    0xF76A7000 isapnp.sys
    0xF7ABB000 compbatt.sys
    0xF7ABF000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF7C6F000 pciide.sys
    0xF7927000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7BAB000 aliide.sys
    0xF7BAD000 cmdide.sys
    0xF7BAF000 toside.sys
    0xF7BB1000 viaide.sys
    0xF7BB3000 intelide.sys
    0xF76B7000 MountMgr.sys
    0xF7628000 ftdisk.sys
    0xF7AC3000 ACPIEC.sys
    0xF7C70000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xF792F000 PartMgr.sys
    0xF76C7000 VolSnap.sys
    0xF7AC7000 cpqarray.sys
    0xF7610000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF75F8000 atapi.sys
    0xF7ACB000 aha154x.sys
    0xF7937000 sparrow.sys
    0xF7ACF000 symc810.sys
    0xF76D7000 aic78xx.sys
    0xF7AD3000 dac960nt.sys
    0xF76E7000 ql10wnt.sys
    0xF7AD7000 amsint.sys
    0xF793F000 asc.sys
    0xF7ADB000 asc3550.sys
    0xF7947000 mraid35x.sys
    0xF794F000 i2omp.sys
    0xF7ADF000 ini910u.sys
    0xF76F7000 ql1240.sys
    0xF7707000 aic78u2.sys
    0xF7957000 symc8xx.sys
    0xF795F000 sym_hi.sys
    0xF7967000 sym_u3.sys
    0xF796F000 ABP480N5.SYS
    0xF7977000 asc3350p.sys
    0xF7BB5000 cd20xrnt.sys
    0xF7717000 ultra.sys
    0xF75DF000 adpu160m.sys
    0xF797F000 dpti2o.sys
    0xF7727000 ql1080.sys
    0xF7737000 ql1280.sys
    0xF7747000 ql12160.sys
    0xF7987000 perc2.sys
    0xF7BB7000 perc2hib.sys
    0xF798F000 hpn.sys
    0xF7AE3000 cbidf2k.sys
    0xF75B3000 dac2w2k.sys
    0xF7757000 disk.sys
    0xF7767000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF7593000 fltMgr.sys
    0xF7581000 sr.sys
    0xF755D000 Fastfat.sys
    0xF7546000 KSecDD.sys
    0xF7519000 NDIS.sys
    0xF7777000 sisagp.sys
    0xF7787000 viaagp.sys
    0xF74FF000 Mup.sys
    0xF7797000 alim1541.sys
    0xF77A7000 amdagp.sys
    0xF77B7000 agp440.sys
    0xF77C7000 agpCPQ.sys
    0xF77E7000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF7B63000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF6E37000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xF6E23000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6DFB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6DDF000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xF6C9E000 \SystemRoot\system32\DRIVERS\athw.sys
    0xF6C87000 \SystemRoot\system32\DRIVERS\jmcr.sys
    0xF79FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6C63000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A07000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF77F7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7A0F000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0xF7A17000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF6C2C000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF7BB9000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7A1F000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7B67000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7CDF000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF7807000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B6B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6C15000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF7817000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF7827000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7A27000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6C04000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7837000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7A2F000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7A37000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7847000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BBB000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6BE1000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF6B83000 \SystemRoot\system32\DRIVERS\update.sys
    0xF7B73000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7857000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7877000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xAA303000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAA2DF000 \SystemRoot\system32\drivers\portcls.sys
    0xF7887000 \SystemRoot\system32\drivers\drmk.sys
    0xF7496000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF7BBF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7D46000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BC1000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7A77000 \SystemRoot\System32\drivers\vga.sys
    0xF7BC3000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BC5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7A7F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF7A87000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF7492000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xAA16C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xAA113000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF78B7000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xAA0ED000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF78C7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xAA0C5000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xAA0A3000 \SystemRoot\System32\drivers\afd.sys
    0xF78D7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAA081000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xF7A8F000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xAA056000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9FE6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF7907000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA9FBF000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF7A9F000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xA9DE6000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
    0xF745D000 \SystemRoot\system32\DRIVERS\STREAM.SYS
    0xF7AA7000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
    0xA9DCE000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7BC9000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xAA22F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7AAF000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D29000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xA9DA6000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xA9CAE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA9B0F000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xA98B2000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA9875000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA9A87000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA94AE000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA90AD000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAA1CF000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x7C900000 \WINDOWS\System32\ntdll.dll

    Processes (total 37):
    0 System Idle Process
    4 System
    676 C:\WINDOWS\System32\smss.exe
    736 csrss.exe
    760 C:\WINDOWS\System32\winlogon.exe
    804 C:\WINDOWS\System32\services.exe
    816 C:\WINDOWS\System32\lsass.exe
    980 C:\WINDOWS\System32\svchost.exe
    1044 svchost.exe
    1104 C:\WINDOWS\System32\svchost.exe
    1188 svchost.exe
    1272 svchost.exe
    1444 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1792 C:\WINDOWS\System32\spoolsv.exe
    516 svchost.exe
    664 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    724 C:\WINDOWS\Explorer.EXE
    820 C:\Program Files\Bonjour\mDNSResponder.exe
    1140 C:\Program Files\Java\jre6\bin\jqs.exe
    244 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    1528 C:\WINDOWS\System32\svchost.exe
    556 C:\WINDOWS\System32\wuauclt.exe
    1264 C:\WINDOWS\RTHDCPL.EXE
    1228 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    1888 C:\Program Files\Launch Manager\QtZgAcer.EXE
    2148 C:\Program Files\iTunes\iTunesHelper.exe
    2160 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    2192 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    2212 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2236 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
    2252 C:\WINDOWS\System32\ctfmon.exe
    2348 C:\WINDOWS\System32\igfxext.exe
    2388 C:\WINDOWS\System32\igfxsrvc.exe
    2660 alg.exe
    2900 C:\Program Files\iPod\bin\iPodService.exe
    3180 C:\Documents and Settings\Mar\Local Settings\Temp\RtkBtMnt.exe
    2540 C:\Documents and Settings\Mar\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (FAT32)

    PhysicalDrive0 Model Number: SSDPAMM0008G1, Rev: Ver2.I0K

    Size Device Name MBR Status
    --------------------------------------------
    7 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 00DA077E92625BC67BBA239DB4218A4A12648922


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     
  24. crunchie

    crunchie Malware Helper Posts: 761

    Can try again, but will likely get the same result.

    Do you have your XP CD?
     
  25. merm8fan

    merm8fan TS Rookie Topic Starter Posts: 37

    No disc - this is a netbook that had XP pre-loaded. I do have an external optical drive I could use if I can dig up an XP CD from another laptop, but I am not certain the full size laptop came with a CD either.

    The redirect issue is happening on the following other computers in the house, if you think this particular problem with this netbook is holding up a solution:
    XP Media Edition desktop,
    Vista laptop,
    XP laptop,
    XP nettop

    Thanks again for your help. I will try the 'y' prompt steps again, just for luck!
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.