TechSpot

Removing redirect virus

By Broday
Oct 23, 2010
  1. Hi,
    I have some form of redirect virus when using firefox, chrome and ie8. Currently running xp sp3.

    Run AVG daily, it tells me it is fully updated but not entirely sure if it is.

    Could not run Malwarebytes, so had to use randmbam.exe, but cannot update so had to run as downloaded
    Get this error message:
    MABM_ERROR_UPDATING (1 20074, 0, WinHttpSendRequest)
    and can also not access the malwarebytes website or forum
    Ran it twice, both logs are below
    1:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/10/2010 10:58:19
    mbam-log-2010-10-23 (10-58-19).txt

    Scan type: Quick scan
    Objects scanned: 129373
    Time elapsed: 9 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.249,93.188.160.249 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ebc18c45-0f9c-4520-af37-57082202b32e}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.249,93.188.160.249 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    2:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/10/2010 11:50:54
    mbam-log-2010-10-23 (11-50-54).txt

    Scan type: Quick scan
    Objects scanned: 129983
    Time elapsed: 9 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Ran GMER, log below:

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-23 12:20:14
    Windows 5.1.2600 Service Pack 3
    Running: rovjh8xc.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\awryrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xEE952FE4]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xEE953996]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xF7AE4864]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xEE953AF6]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xEE95736C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xEE95739E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xEE957500]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xEE953A5A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xEE953128]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xEE95331A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xEE95344C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xEE957476]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xEE9573E0]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xEE957412]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xEE957444]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xEE952F8A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xEE953B56]
    SSDT \??\C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xF7AE482E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xEE952F26]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateProcess [0xEE952E7A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xEE952EC2]

    ---- Kernel code sections - GMER 1.0.15 ----

    .rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xF6E4A194]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414C10 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1108] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2684] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004397C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2684] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2684] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 01A07420 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] ntdll.dll!LdrLoadDll + 1 7C9163C4 5 Bytes [22, 00, 68, 71, C3]
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!ReadFile 7C801812 6 Bytes JMP 7139000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 716B0022
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 7148000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!GetQueuedCompletionStatus 7C80A7BD 6 Bytes JMP 714B000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!WriteFile 7C810E27 6 Bytes JMP 7142000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!CreateNamedPipeW 7C82F0DD 6 Bytes JMP 713F000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!CancelIo 7C8300E2 6 Bytes JMP 7145000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!CreateIoCompletionPort 7C83138D 6 Bytes JMP 713C000A
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 6 Bytes PUSH 71590022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] USER32.dll!TranslateMessage 7E418BF6 6 Bytes PUSH 71500022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] USER32.dll!RegisterClassExW 7E41AF7F 6 Bytes PUSH 716E0022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] USER32.dll!SetWindowLongW 7E42C2BB 6 Bytes PUSH 71530022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] USER32.dll!GetClipboardData 7E430DBA 6 Bytes PUSH 71560022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] GDI32.dll!BitBlt 77F16F79 6 Bytes PUSH 715F0022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] GDI32.dll!StretchDIBits 77F1B0AE 6 Bytes PUSH 715C0022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes PUSH 71650022; RET
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 714D0022
    .text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3552] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 6 Bytes PUSH 71620022; RET

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1976] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
    IAT C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3396] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86DFBAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86DFBAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 86DFBAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 86DFBAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 86DFBAEA

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskHDS728080PLAT20_________________________PF2OA21B#5&211d19d3&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BABF6593-2156-5BE1-4DC0-254AF1206DD0}

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 160836245 (+233): rootkit-like behavior;

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification; TDL3 <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
  2. Broday

    Broday TS Rookie Topic Starter

    Ran DDS, log below:
    DDS:


    DDS (Ver_10-10-21.02) - NTFSx86
    Run by User at 12:22:18.78 on 23/10/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.336 [GMT 1:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Dell Printers\Dell MFP Color Laser Printer 3115cn\Address Book Editor\Launcher.exe
    C:\Program Files\Dell Printers\paperport\pptd40nt.exe
    C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\User\My Documents\Downloads\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [Sony Ericsson PC Companion] "c:\program files\sony ericsson\sony ericsson pc companion\PCCompanion.exe" /Background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Dell MFP Color Laser Printer 3115cn Launcher] "c:\program files\dell printers\dell mfp color laser printer 3115cn\address book editor\Launcher.exe" /s
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [PaperPort PTD] "c:\program files\dell printers\paperport\pptd40nt.exe"
    mRun: [IndexSearch] "c:\program files\dell printers\paperport\IndexSearch.exe"
    mRun: [DLPSP] "c:\program files\dell printers\additional color laser software\status monitor\DLPSP.EXE"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
    IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\h5eyszjt.default\
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\user\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\sony\media go\npmediago.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-23 216400]
    R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-23 29584]
    R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-23 243024]
    R1 dk2drv;DK2 WindowsNT Driver;c:\windows\system32\drivers\dk2drv.sys [2008-10-14 49712]
    R1 RapportCerberus_19917;RapportCerberus_19917;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 DLSDB;Dell Printer Status Database;c:\program files\dell printers\additional color laser software\status monitor\dlsdbnt.exe [2010-4-14 140184]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
    R2 Softlok;Softlok;c:\windows\system32\drivers\SOFTLOK.SYS [2004-6-12 11136]
    R2 WinDriver;WinDriver;c:\windows\system32\drivers\windrvr.sys [2008-10-2 79260]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-24 27632]
    S2 gupdate1c9935d6f70843a;Google Update Service (gupdate1c9935d6f70843a);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-17 430152]
    S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-10-9 13352]
    S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2008-10-2 9344]
    S3 Sony Ericsson PCCompanion;Sony Ericsson PCCompanion;c:\program files\sony ericsson\sony ericsson pc companion\PCCService.exe [2010-10-18 153808]

    =============== Created Last 30 ================

    2010-10-23 09:45:24 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-10-23 09:28:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-23 09:28:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-23 09:28:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-23 09:28:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-23 08:38:17 -------- d-----w- c:\program files\Trend Micro
    2010-10-23 07:57:50 -------- d-sh--w- c:\documents and settings\user\IECompatCache
    2010-10-19 18:38:46 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
    2010-10-19 18:38:46 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2010-10-19 18:38:21 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2010-10-19 07:54:57 -------- d-----w- c:\program files\common files\Sony Shared
    2010-10-19 07:52:02 -------- d-----w- c:\program files\Sony Media Go Install
    2010-10-18 14:36:55 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Downloaded Installations
    2010-10-18 14:36:36 -------- d-----w- c:\program files\Sony
    2010-10-18 14:36:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
    2010-10-18 13:40:46 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-10-18 13:21:08 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
    2010-10-18 13:21:08 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
    2010-10-16 09:23:37 -------- d-----w- c:\docume~1\user\locals~1\applic~1\AVG Security Toolbar
    2010-10-11 09:24:12 -------- d-----w- c:\docume~1\user\applic~1\J River
    2010-10-03 22:43:44 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

    ==================== Find3M ====================

    2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
    2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
    2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
    2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

    ============= FINISH: 12:25:02.90 ===============

    Attach:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-21.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 23/09/2008 10:32:22
    System Uptime: 23/10/2010 10:59:21 (2 hours ago)

    Motherboard: Dell Computer Corp. | | 0U1325
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 77 GiB total, 33.471 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 108 GiB total, 84.295 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    H: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP768: 25/07/2010 16:45:06 - System Checkpoint
    RP769: 26/07/2010 17:11:25 - System Checkpoint
    RP770: 27/07/2010 17:23:02 - System Checkpoint
    RP771: 28/07/2010 17:30:50 - System Checkpoint
    RP772: 29/07/2010 09:48:17 - Restore Point
    RP773: 30/07/2010 09:56:05 - System Checkpoint
    RP774: 31/07/2010 10:56:05 - System Checkpoint
    RP775: 01/08/2010 11:56:05 - System Checkpoint
    RP776: 02/08/2010 13:21:48 - System Checkpoint
    RP777: 03/08/2010 03:00:18 - Software Distribution Service 3.0
    RP778: 04/08/2010 03:21:38 - System Checkpoint
    RP779: 05/08/2010 04:21:38 - System Checkpoint
    RP780: 06/08/2010 04:36:08 - System Checkpoint
    RP781: 07/08/2010 04:58:13 - System Checkpoint
    RP782: 08/08/2010 05:58:11 - System Checkpoint
    RP783: 09/08/2010 06:58:12 - System Checkpoint
    RP784: 09/08/2010 08:09:52 - Installed Java(TM) 6 Update 21
    RP785: 10/08/2010 09:07:18 - System Checkpoint
    RP786: 11/08/2010 09:57:21 - System Checkpoint
    RP787: 12/08/2010 03:00:38 - Software Distribution Service 3.0
    RP788: 13/08/2010 03:38:28 - System Checkpoint
    RP789: 14/08/2010 03:42:57 - System Checkpoint
    RP790: 15/08/2010 04:42:57 - System Checkpoint
    RP791: 16/08/2010 05:40:41 - System Checkpoint
    RP792: 16/08/2010 20:47:04 - Avg Update
    RP793: 18/08/2010 00:43:38 - System Checkpoint
    RP794: 19/08/2010 01:42:58 - System Checkpoint
    RP795: 20/08/2010 02:52:25 - System Checkpoint
    RP796: 21/08/2010 03:40:26 - System Checkpoint
    RP797: 22/08/2010 03:43:05 - System Checkpoint
    RP798: 23/08/2010 04:43:05 - System Checkpoint
    RP799: 24/08/2010 04:43:21 - System Checkpoint
    RP800: 25/08/2010 05:52:50 - System Checkpoint
    RP801: 26/08/2010 06:43:21 - System Checkpoint
    RP802: 27/08/2010 07:43:22 - System Checkpoint
    RP803: 28/08/2010 08:47:39 - System Checkpoint
    RP804: 29/08/2010 09:43:22 - System Checkpoint
    RP805: 30/08/2010 10:56:22 - System Checkpoint
    RP806: 31/08/2010 12:19:34 - System Checkpoint
    RP807: 01/09/2010 12:50:09 - System Checkpoint
    RP808: 02/09/2010 13:26:07 - System Checkpoint
    RP809: 03/09/2010 15:12:34 - System Checkpoint
    RP810: 04/09/2010 15:28:07 - System Checkpoint
    RP811: 05/09/2010 16:14:40 - System Checkpoint
    RP812: 06/09/2010 16:40:06 - System Checkpoint
    RP813: 07/09/2010 16:47:25 - System Checkpoint
    RP814: 08/09/2010 17:39:11 - System Checkpoint
    RP815: 09/09/2010 18:18:33 - System Checkpoint
    RP816: 10/09/2010 19:18:32 - System Checkpoint
    RP817: 12/09/2010 00:29:48 - System Checkpoint
    RP818: 13/09/2010 00:42:26 - System Checkpoint
    RP819: 14/09/2010 01:17:01 - System Checkpoint
    RP820: 15/09/2010 01:31:35 - System Checkpoint
    RP821: 16/09/2010 01:32:05 - System Checkpoint
    RP822: 16/09/2010 03:00:32 - Software Distribution Service 3.0
    RP823: 17/09/2010 03:32:36 - System Checkpoint
    RP824: 18/09/2010 03:46:36 - System Checkpoint
    RP825: 19/09/2010 04:32:25 - System Checkpoint
    RP826: 20/09/2010 04:47:07 - System Checkpoint
    RP827: 21/09/2010 05:32:36 - System Checkpoint
    RP828: 22/09/2010 06:32:38 - System Checkpoint
    RP829: 23/09/2010 06:44:59 - System Checkpoint
    RP830: 23/09/2010 19:22:23 - Avg Update
    RP831: 23/09/2010 19:23:48 - Avg Update
    RP832: 24/09/2010 19:32:39 - System Checkpoint
    RP833: 25/09/2010 20:32:39 - System Checkpoint
    RP834: 27/09/2010 00:45:36 - System Checkpoint
    RP835: 28/09/2010 01:08:47 - System Checkpoint
    RP836: 29/09/2010 01:46:29 - System Checkpoint
    RP837: 29/09/2010 03:00:18 - Software Distribution Service 3.0
    RP838: 30/09/2010 03:57:13 - System Checkpoint
    RP839: 01/10/2010 04:32:55 - System Checkpoint
    RP840: 02/10/2010 05:40:39 - System Checkpoint
    RP841: 03/10/2010 06:32:56 - System Checkpoint
    RP842: 04/10/2010 07:54:28 - System Checkpoint
    RP843: 04/10/2010 19:17:30 - Avg Update
    RP844: 05/10/2010 19:32:56 - System Checkpoint
    RP845: 06/10/2010 20:45:57 - System Checkpoint
    RP846: 07/10/2010 03:00:19 - Software Distribution Service 3.0
    RP847: 08/10/2010 03:00:18 - Software Distribution Service 3.0
    RP848: 09/10/2010 03:58:07 - System Checkpoint
    RP849: 10/10/2010 03:58:13 - System Checkpoint
    RP850: 11/10/2010 04:32:58 - System Checkpoint
    RP851: 11/10/2010 10:27:37 - Removed FelixCAD 5 LT
    RP852: 11/10/2010 10:36:28 - Removed Sony Ericsson Media Manager 1.2a
    RP853: 12/10/2010 11:44:43 - System Checkpoint
    RP854: 13/10/2010 13:50:30 - System Checkpoint
    RP855: 14/10/2010 14:51:56 - Installed Rapport
    RP856: 15/10/2010 15:09:14 - System Checkpoint
    RP857: 16/10/2010 15:51:06 - System Checkpoint
    RP858: 18/10/2010 11:45:17 - System Checkpoint
    RP859: 18/10/2010 14:16:42 - Restore Point
    RP860: 18/10/2010 15:35:26 - Installed Windows XP KB942288-v3.
    RP861: 19/10/2010 15:39:18 - Installed Media Go Video Playback Engine 1.32.115.05250
    RP862: 20/10/2010 03:00:40 - Software Distribution Service 3.0
    RP863: 22/10/2010 10:02:47 - System Checkpoint
    RP864: 23/10/2010 10:08:56 - System Checkpoint

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    7500_7600_7700_Help
    AAC Decoder
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.3
    Adobe Setup
    Adobe Shockwave Player
    Apple Application Support
    Apple Software Update
    AutoUpdate
    Avanquest update
    AVG Free 9.0
    BPD_HPSU
    BPD_Scan
    BPDfax
    BPDSoftware
    BPDSoftware_Ini
    Critical Update for Windows Media Player 11 (KB959772)
    Crystal Reports 11 Drivers
    Dell MFP Laser 3115cn ScanButton Manager Ver.1.1.0.2
    Dell MFP Laser 3115cn Scanner Driver
    Dell MFP Laser 3115cn Utilities Ver.1.0.2.1
    Dell Printer Software
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DK2 DESkey Drivers v7.22.0.39
    DocProc
    DocProcQFolder
    EVEREST Ultimate Edition v4.60
    Facebook Plug-In
    Google Chrome
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    H.264 Decoder
    Highlight Viewer (Windows Live Toolbar)
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB945060-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Officejet Pro All-In-One Series
    hppIOFiles
    IconPackager
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Java Auto Updater
    Java(TM) 6 Update 21
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7
    L7500
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Media Go
    Media Go Video Playback Engine 1.32.115.05250
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008 Management Objects
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server Management Objects Collection
    Microsoft SQL Server Native Client
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WinUsb 1.0
    Microsoft Works 6-9 Converter
    MKV Splitter
    Mozilla Firefox (3.5.8)
    MPM
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    Nero Suite
    OCR Software by I.R.I.S 7.0
    OpenAL
    OpenOffice.org 3.1
    PaperPort Image Printer
    PlayStation(R)Network Downloader
    PlayStation(R)Store
    PowerISO
    ProductContext
    QuickTime
    Rapport
    RealPlayer
    RealUpgrade 1.0
    Replay Music
    Scan
    ScanSoft PaperPort 11
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB2288953)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Serif PagePlus 11
    Smart Menus (Windows Live Toolbar)
    Sony Ericsson PC Companion 2.00.146
    SoundMAX
    SQL Server System CLR Types
    UnloadSupport
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Outlook 2007 Junk Email Filter (kb2410711)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Service
    VC80CRTRedist - 8.0.50727.4053
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Favorites for Windows Live Toolbar
    Windows Live installer
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
    WinRAR archiver

    ==== Event Viewer Messages From Past Week ========

    23/10/2010 12:01:49, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
    23/10/2010 11:57:00, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    23/10/2010 09:50:49, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    23/10/2010 09:50:49, error: Service Control Manager [7034] - The Dell Printer Status Watcher service terminated unexpectedly. It has done this 1 time(s).
    23/10/2010 09:50:49, error: Service Control Manager [7034] - The Dell Printer Status Database service terminated unexpectedly. It has done this 1 time(s).
    23/10/2010 09:50:49, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    23/10/2010 09:25:38, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    23/10/2010 09:25:02, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    23/10/2010 09:24:46, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    18/10/2010 08:45:15, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 000D56FB5042 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    18/10/2010 08:22:18, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    18/10/2010 08:22:18, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    18/10/2010 02:23:52, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    18/10/2010 00:55:57, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    18/10/2010 00:55:57, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.

    ==== End Of File ===========================

    Any help would be appreciated.

    Thanks,
    Clive
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Clive. I'll help with the malware. You had an infection that changes the DNS. Mbam handled it, but let's make sure you're back to normal:

    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer. Run MBAM again.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    ============================================
    After completing the above, let's see what we're dealing with:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===================================
    Then you can go on to download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Paste the logs for these into your next reply- OK to use multiple posts if needed. You have a Rootkit and I will handle that after the Combofix scan. IF you have any problem along the way, please stop and ask me about it.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  4. Broday

    Broday TS Rookie Topic Starter

    Will try and get into work to do this tomorrow, if not will be monday.
    Thanks for your help.
     
  5. Broday

    Broday TS Rookie Topic Starter

    Can I just do a dns flush without resetting the router? All my phones run through the router and it'll screw up all the settings, which I can't access. If needs be have to get in touch with the phone company to do the resetting.
     
  6. Broday

    Broday TS Rookie Topic Starter

    Slight problem - combofix will not run, double click on it, select run, get a spike in cpu activity (can see from task manager) but it won't run. MBAM found nothing again and the ESET log is below


    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=08d273eb81fe01498b58209e640fd0b5
    # end=stopped
    # remove_checked=false
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-25 03:22:38
    # local_time=2010-10-25 04:22:38 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 197061 197061 0 0
    # compatibility_mode=1024 16777175 100 0 28453727 28453727 0 0
    # compatibility_mode=8192 67108863 100 0 506 506 0 0
    # scanned=76
    # found=0
    # cleaned=0
    # scan_time=225
    ESETSmartInstaller@High as downloader log:
    all ok
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=08d273eb81fe01498b58209e640fd0b5
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-10-25 07:29:28
    # local_time=2010-10-25 08:29:28 (+0000, GMT Daylight Time)
    # country="United Kingdom"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 197182 197182 0 0
    # compatibility_mode=1024 16777175 100 0 28453848 28453848 0 0
    # compatibility_mode=8192 67108863 100 0 627 627 0 0
    # scanned=171922
    # found=1
    # cleaned=0
    # scan_time=14703
    E:\Program Files\BitLord\Downloads\ConvertX to DVD v.3.5.2.137 FINAL\Keygen BRD\Keygen.exe a variant of Win32/Keygen.AS application 00000000000000000000000000000000 I
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have a pirated program. Please remove it for continued support:
    E:\Program Files\BitLord\Downloads\ConvertX to DVD v.3.5.2.137 FINAL\Keygen BRD\Keygen.exe

    Run the following:

    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click [b/]Save List To File.[/b]
    • A message box will verify that the file is saved.
    • Double-click the [/b]CKFiles.txt icon[/b] on your desktop and copy/paste the contents
      in your next reply.
     
  8. Broday

    Broday TS Rookie Topic Starter

    Program removed.

    CKS report:


    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11
    ----- EOF -----
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't see the scanner results for the CKScan. But I do know that you have at least one pirated program and until that's removed, support won't continue.
     
  10. Broday

    Broday TS Rookie Topic Starter

    Have removed the program, then run CKS and results are as displayed above. Program had been installed to convert a video to dvd files so that I could write them, was then removed. All that was left were the files that I downloaded - installation files and a keygen. These are now removed.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      	
      :Files  
      E:\Program Files\BitLord\Downloads\ConvertX to DVD v.3.5.2.137 FINAL\Keygen BRD\Keygen.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    Download TDSSKiller. Extract the zipped file to your desktop.

    Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
    Code:
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
    
    • This will have the program write a detailed log
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
    • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
    • Follow the prompts and attach the report to your next reply.
    =======================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix.
     
  12. Broday

    Broday TS Rookie Topic Starter

    I can't run OTM, keeps coming up with OTM has encountered a problem...
    Have you got another version of it that I can try to run?
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The entry is from the E drive. Is that accessible?
     
  14. Broday

    Broday TS Rookie Topic Starter

    Hi, E drive is accessible (was a drive from an old computer that I put in for extra storage, don't actually use it any more - and could probably format it) but otm doesn't even load. Double click on it and just get program has encountered a problem come up
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, no shorcuts here, TDL3 is blocking the programs you need to run:
    From GMER:
    File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification; TDL3 <-- ROOTKIT !!!
    TDL3, is the name of a family of rootkits for the Windows operating system that downloads and execute other malware, delivers advertisements to your computer, and blocks programs from running. This rootkit infects your computer in various ways that include replacing hard disk drivers with malicious versions. The TDSS rootkit is an intrusive infection that takes over your machine and is very difficult to remove.
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot might require after disinfection.
    ===========================================
    Get this done and it should enable you to then run the other programs.
     
  16. Broday

    Broday TS Rookie Topic Starter

    Hi, have run tds and quarantined the file but still cannot run OTM.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...