This started a couple days ago with both IE and Chrome. Searching at Google, lycos, altavista, etc. produces a series of relevant links; however, when clicked I am redirected to random sites for cheap airfare, etc. I can usually get a successful link click ONCE after a reboot.
Clicking the search button on Wikipedia results in an immediate redirect.
Redirects seem to involve a delay of several seconds vs. opening a typed page almost immediately.
LInks on techspot pages leading to software downloads are not redirected.
Prior to this post I tried troubleshooting myself which included running Hijackthis, Avast, MBAM, superantispyware and combofix. It seemed to run successfully, but the issue remained. I punted and did a system restore back to 2/24 and am deferring to the experts here. All logs supplied are POST restore, so my previous efforts have hopefully been wiped out, and you are starting fresh.
Lastly, seeing that another user suffered from a router hijack, I checked my DNS, and they are as expected from my IPC. Additionally, of the five computers serviced by the router, the issue exists on only the one.
Step 1: Avast Home 6.0.1000 with 110226-0 definitions indicated no infections.
Step 2: TFC completed normally.
Step 3: MBAM indicates no infections:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5884
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/26/2011 10:06:23 AM
mbam-log-2011-02-26 (10-06-23).txt
Scan type: Quick scan
Objects scanned: 203916
Time elapsed: 3 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step 4: GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-26 10:11:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: l96qigpz.exe; Driver: h:\temp\uxtdypod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAB8AC026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAB8ABE91]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAB9418DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\viamraid \Device\Scsi\viamraid1 8A5CDE30
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target2Lun0 8A5CDE30
Device \Driver\dtscsi \Device\Scsi\dtscsi1 89F5D6F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 89F5D6F8
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 8A5CD8C0
AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat 8A1330E8
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
Step 5: DDS (NOTE that dds.scr would simply open in notepad. I appended ".exe", and it ran normally
DDS.TXT:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Steve at 10:14:33.29 on Sat 02/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1365 [GMT -7:00]
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\Program Files\VIA\RAID\vialogsv.exe
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\UGS\UGSLicensing\ugslmd.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\VIA\RAID\raid_tool.exe
H:\Program Files\Alwil Software\Avast5\avastUI.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\mmc.exe
H:\Documents and Settings\Deb\Desktop\dds.scr.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "h:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [PeerBlock] h:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "h:\documents and settings\deb\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EVEMon] "i:\program files\evemon\EVEMon.exe" -startMinimized
uRun: [Skype] "h:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [VIARaidUtl] h:\program files\via\raid\raid_tool.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast!] h:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AMD_Display] h:\program files\amd\amd power monitor\AMD_PwrMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "h:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast] "h:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: h:\docume~1\alluse~1.win\startm~1\programs\startup\timexd~1.lnk - h:\program files\timex\data link usb\DataLinkLauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - h:\program files\microsoft activesync\aatp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - e:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-2-26 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-8-2 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-8-2 19544]
R2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast5\AvastSvc.exe [2010-8-2 42184]
R2 MotoConnect Service;MotoConnect Service;h:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-27 91392]
R2 RUBotted;Trend Micro RUBotted Service;h:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-24 582992]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\ugs\ugslicensing\lmgrd.exe [2008-4-22 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\via\raid\vialogsv.exe [2009-5-20 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [2009-5-20 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [2009-5-20 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 TTDec;ATI WDM Teletext Decoder;h:\windows\system32\drivers\atinttxx.sys --> h:\windows\system32\drivers\ATINTTXX.sys [?]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-4-12 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [2010-6-27 25856]
S3 cpuz132;cpuz132;h:\windows\system32\drivers\cpuz132_x32.sys [2009-6-16 12672]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [2010-8-15 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [2010-8-15 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [2007-12-28 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [2010-6-27 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2099-07-09 05:22:02 -------- d-----w- h:\program files\common files\Insight Software Solutions
2099-07-09 05:22:01 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37:15 -------- d-----w- h:\program files\SlySoft
2011-02-26 17:14:32 98816 ----a-w- h:\temp\3a.tmp\SED.DAT
2011-02-26 17:14:32 89088 ----a-w- h:\temp\3a.tmp\MBR.DAT
2011-02-26 17:14:32 518144 ----a-w- h:\temp\3a.tmp\SWREG.DAT
2011-02-26 17:14:32 256512 ----a-w- h:\temp\3a.tmp\PEV.DAT
2011-02-26 16:59:17 355056 ----a-w- h:\temp\SSUPDATE.EXE
2011-02-26 16:14:51 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\repository\FS
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50:25 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-26 15:50:19 -------- d-sh--w- H:\$RECYCLE.BIN
2011-02-25 04:37:44 -------- d-----w- h:\docume~1\deb\applic~1\Malwarebytes
2011-02-25 04:26:34 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26:32 -------- d-----w- h:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-02-25 04:26:28 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-25 04:26:28 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-18 07:02:21 -------- d-----w- H:\AutoCad
2011-02-10 01:10:54 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58:00 -------- d-----w- h:\program files\Rhinoceros 4.0
==================== Find3M ====================
2011-02-23 15:04:21 40648 ----a-w- h:\windows\avastSS.scr
2011-01-21 14:44:37 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:13:02 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12:52 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11:42 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11:14 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00:30 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59:24 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53:36 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53:16 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46:12 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39:46 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39:32 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39:22 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39:14 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39:02 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37:32 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36:54 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36:00 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35:12 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31:10 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29:18 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28:52 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28:18 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22:50 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2010-12-31 13:10:33 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14:06 51200 ----a-w- h:\windows\system32\OpenCL.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A5CDB78]<<
_asm { MOV EAX, 0x8a5cda98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a5d0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A51F670]
\Driver\Disk[0x8A537A08] -> IRP_MJ_CREATE -> 0x8A5CDB78
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a5cdb78
user & kernel MBR OK
Warning: possible MBR rootkit infection !
============= FINISH: 10:15:35.23 ===============
ATTACH.EXE
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/28/2008 9:10:16 PM
System Uptime: 2/26/2011 9:56:59 AM (1 hours ago)
Motherboard: ASUSTeK Computer INC. | | M2V-X
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | SOCKET AM2 | 2999/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (FAT32) - 60 GiB total, 11.498 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 7.445 GiB free.
E: is FIXED (NTFS) - 20 GiB total, 15.776 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is FIXED (NTFS) - 360 GiB total, 188.616 GiB free.
I: is FIXED (NTFS) - 26 GiB total, 15.648 GiB free.
J: is CDROM ()
M: is FIXED (NTFS) - 213 GiB total, 14.871 GiB free.
P: is FIXED (NTFS) - 149 GiB total, 0.368 GiB free.
T: is NetworkDisk (NTFS) - 292 GiB total, 43.171 GiB free.
==== Disabled Device Manager Items =============
Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:
==== System Restore Points ===================
RP1: 2/24/2011 9:43:15 PM - System Checkpoint
RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis
RP3: 2/26/2011 8:34:02 AM - Restore Operation
RP4: 2/26/2011 8:48:57 AM - Restore Operation
==== Hosts File Hijack ======================
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.grisoft.com
Hosts: 127.0.0.1 www.kaspersky.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.microsoft.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.trendmicro.com
Hosts: 127.0.0.1 www.viruslist.com
Hosts: 127.0.0.1 www.virustotal.com
==== Installed Programs ======================
µTorrent
7-Zip 4.65
AC-3 ACM Codec
Acronis*True*Image*WD*Edition
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
Amazon Games & Software Downloader
AMD CPUInfo
AMD Power Monitor
AMD Processor Driver
Apple Software Update
ASUS Wireless Router WL-520GC Utilities
ASUSUpdate
ATI Catalyst Install Manager
ATI Stream SDK v2 Developer
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Auto Gordian Knot 2.55
AutoCAD 2002
AutoHotkey 1.0.48.03
AutoUpdate
avast! Free Antivirus
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BitPim 1.0.7
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CloneDVD2
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Contribtastic 2.0-alpha
Cool & Quiet
CPUID HWMonitor 1.15
DAO
Data Lifeguard Diagnostic for Windows
Data Lifeguard Tools
Defraggler
DIKO 2.47
DivX
Download Accelerator Plus (DAP)
Driver Sweeper 1.5.5
Dual-Core Optimizer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 6.2.1.8 (31/12/2009)
DVDFab 7.0.9.3 (08/08/2010)
DVDFab 8.0.3.2 (30/10/2010)
DWGeditor
EASEUS Partition Master 6.1.1 Home Edition
eDrawings 2006
EVE Metrics Uploader
EVE Online (remove only)
EveHQ
EVEMon
ffdshow [rev 3154] [2009-12-09]
Fomine WinPopup 1.5
Free Video to iPod Converter version 3.1
FreeRIP v3.30
Google Chrome
Google Earth
Google Update Helper
H-BOT EVE-Pilot
HandBrake 0.9.5
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP USB Disk Storage Format Tool
IrfanView (remove only)
IsoBuster 2.3
Java(TM) 6 Update 17
LimeWire 5.5.8
Logitech QuickCam for Enterprise
Logitech QuickCam for Enterprise Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync 3.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 8.0 Support DLLs
Motorola Driver Installation 4.2.0
MP3 Tester Demo
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
NVTweak
PC Probe II
PDFCreator
PeerBlock 1.1 (r518)
Platform
PowerDVD
QuickTime
RAD Video Tools
Realtek High Definition Audio Driver
Recuva
Rhinoceros 3.0
Rhinoceros 3.0 SR3c
Rhinoceros 4.0 SR6
Rhinoceros 4.0 SR8
RSDLite
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
sentinelsystemdriver
SightSpeed
Skype Toolbars
Skype™ 5.0
SolidWorks 2006 SP0
SolidWorks eDrawings 2011
Speccy
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware
System Requirements Lab
The Lord of the Rings FREE Trial
thinkorswim
thinkorswim from TD AMERITRADE
Timex Data Link USB
Trend Micro RUBotted
TurboTax 2008
TurboTax 2008 waziper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 waziper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Tweakui Powertoy for Windows XP
UGS NX 6.0
UGSLicensing
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Ventrilo Client
VIA Platform Device Manager
Videora iPod Converter 5.04
VNC Free Edition 4.1.2
VobSub v2.23 (Remove Only)
WebFldrs XP
Wii Video 9 6
Winamp
Winamp Detector Plug-in
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 9 Series TweakMP PowerToy
Windows Support Tools
WinFF 1.1
WinRAR archiver
WinZip
XviD MPEG4 Video Codec (remove only)
YouTube Downloader App 3.00
==== Event Viewer Messages From Past Week ========
2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The UGS License Server (ugslmd) service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7031] - The MotoConnect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 8:59:46 AM, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
2/26/2011 8:48:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi ElbyCDIO Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip V2IMount
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/25/2011 7:58:18 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
2/25/2011 7:15:43 AM, error: Service Control Manager [7034] - The VRAID Log Service service terminated unexpectedly. It has done this 1 time(s).
2/25/2011 12:53:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp1 ViaIde
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The Specialized PCD WDM VBI Codec service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI WDM Teletext Decoder service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder TV Tuner service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Audio Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 1:23:23 AM, error: Service Control Manager [7001] - The Network DDE service depends on the Network DDE DSDM service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/25/2011 1:23:23 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Capture service failed to start due to the following error: The system cannot find the file specified.
2/24/2011 9:04:54 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
2/24/2011 2:41:59 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
2/22/2011 6:00:59 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
2/21/2011 4:26:00 PM, error: TermServDevices [1111] - Driver hp LaserJet 3015 PCL 6 required for printer !!FRONTDESK!hp LaserJet 3015 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver HP Designjet 500PS 24 by HP required for printer HP 500 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series (FAX) required for printer FAX (Canon) is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:50 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series required for printer Canon Laser is unknown. Contact the administrator to install the driver before you log in again.
==== End Of File ===========================
Clicking the search button on Wikipedia results in an immediate redirect.
Redirects seem to involve a delay of several seconds vs. opening a typed page almost immediately.
LInks on techspot pages leading to software downloads are not redirected.
Prior to this post I tried troubleshooting myself which included running Hijackthis, Avast, MBAM, superantispyware and combofix. It seemed to run successfully, but the issue remained. I punted and did a system restore back to 2/24 and am deferring to the experts here. All logs supplied are POST restore, so my previous efforts have hopefully been wiped out, and you are starting fresh.
Lastly, seeing that another user suffered from a router hijack, I checked my DNS, and they are as expected from my IPC. Additionally, of the five computers serviced by the router, the issue exists on only the one.
Step 1: Avast Home 6.0.1000 with 110226-0 definitions indicated no infections.
Step 2: TFC completed normally.
Step 3: MBAM indicates no infections:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5884
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/26/2011 10:06:23 AM
mbam-log-2011-02-26 (10-06-23).txt
Scan type: Quick scan
Objects scanned: 203916
Time elapsed: 3 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Step 4: GMER log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-26 10:11:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18 WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: l96qigpz.exe; Driver: h:\temp\uxtdypod.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAB8AC026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAB8ABE91]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAB9418DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi \Device\Ide\IdePort0 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [B9E2BB40] atapi.sys[unknown section] {MOV EAX, 0x8a5cd008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb9eec684; RET }
Device \Driver\viamraid \Device\Scsi\viamraid1 8A5CDE30
Device \Driver\viamraid \Device\Scsi\viamraid1Port2Path0Target2Lun0 8A5CDE30
Device \Driver\dtscsi \Device\Scsi\dtscsi1 89F5D6F8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 89F5D6F8
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 8A5CD8C0
AttachedDevice \FileSystem\Ntfs \Ntfs SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat 8A1330E8
AttachedDevice \FileSystem\Fastfat \Fat SymSnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----
Step 5: DDS (NOTE that dds.scr would simply open in notepad. I appended ".exe", and it ran normally
DDS.TXT:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Steve at 10:14:33.29 on Sat 02/26/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1365 [GMT -7:00]
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\Program Files\Alwil Software\Avast5\AvastSvc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
H:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
H:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
I:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
H:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
H:\WINDOWS\System32\svchost.exe -k imgsvc
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\Program Files\VIA\RAID\vialogsv.exe
H:\Program Files\UGS\UGSLicensing\lmgrd.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\UGS\UGSLicensing\ugslmd.exe
H:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
H:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
H:\Program Files\VIA\RAID\raid_tool.exe
H:\Program Files\Alwil Software\Avast5\avastUI.exe
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\Documents and Settings\Deb\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\mmc.exe
H:\Documents and Settings\Deb\Desktop\dds.scr.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - i:\progra~1\spybot~1\SDHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "h:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [PeerBlock] h:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] h:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "h:\documents and settings\deb\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [EVEMon] "i:\program files\evemon\EVEMon.exe" -startMinimized
uRun: [Skype] "h:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [VIARaidUtl] h:\program files\via\raid\raid_tool.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [QuickTime Task] "h:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast!] h:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AMD_Display] h:\program files\amd\amd power monitor\AMD_PwrMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "h:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [avast] "h:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: h:\docume~1\alluse~1.win\startm~1\programs\startup\timexd~1.lnk - h:\program files\timex\data link usb\DataLinkLauncher.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - h:\program files\microsoft activesync\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - i:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com\ttlc
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9E94E966-7FDB-457F-B092-7509BD1FA11A} = 68.105.28.11,68.105.29.11
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - h:\program files\microsoft activesync\aatp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - h:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - h:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - h:\progra~1\dap\dapie.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - h:\program files\microsoft activesync\CENetFlt.dll
Notify: !SASWinLogon - h:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - e:\program files\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - h:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Note: multiple HOSTS entries found. Please refer to Attach.txt
============= SERVICES / DRIVERS ===============
R1 aswSnx;aswSnx;h:\windows\system32\drivers\aswSnx.sys [2011-2-26 371544]
R1 aswSP;aswSP;h:\windows\system32\drivers\aswSP.sys [2010-8-2 301528]
R1 SASDIFSV;SASDIFSV;h:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;h:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;h:\windows\system32\drivers\aswFsBlk.sys [2010-8-2 19544]
R2 avast! Antivirus;avast! Antivirus;h:\program files\alwil software\avast5\AvastSvc.exe [2010-8-2 42184]
R2 MotoConnect Service;MotoConnect Service;h:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-6-27 91392]
R2 RUBotted;Trend Micro RUBotted Service;h:\program files\trend micro\rubotted\TMRUBotted.exe [2010-2-24 582992]
R2 UGS License Server (ugslmd);UGS License Server (ugslmd);h:\program files\ugs\ugslicensing\lmgrd.exe [2008-4-22 1372160]
R2 VRAID Log Service;VRAID Log Service;h:\program files\via\raid\vialogsv.exe [2009-5-20 52888]
R3 AmdTools;AMD Special Tools Driver;h:\windows\system32\drivers\AmdTools.sys [2009-5-20 34304]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [2009-5-20 38656]
R3 TMPassthruMP;TMPassthruMP;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;h:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);h:\program files\google\update\GoogleUpdate.exe [2010-2-16 135664]
S2 TTDec;ATI WDM Teletext Decoder;h:\windows\system32\drivers\atinttxx.sys --> h:\windows\system32\drivers\ATINTTXX.sys [?]
S3 Amazon Download Agent;Amazon Download Agent;h:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-4-12 319488]
S3 androidusb;ADB Interface Driver;h:\windows\system32\drivers\motoandroid.sys [2010-6-27 25856]
S3 cpuz132;cpuz132;h:\windows\system32\drivers\cpuz132_x32.sys [2009-6-16 12672]
S3 epmntdrv;epmntdrv;h:\windows\system32\epmntdrv.sys [2010-8-15 13192]
S3 EuGdiDrv;EuGdiDrv;h:\windows\system32\EuGdiDrv.sys [2010-8-15 8456]
S3 GETND5BV;VIA Networking Velocity-Family Giga-bit Ethernet Adapter Driver;h:\windows\system32\drivers\getnd5bv.sys [2007-12-28 46080]
S3 MotDev;Motorola Inc. USB Device;h:\windows\system32\drivers\motodrv.sys [2010-6-27 42752]
S3 SUSTUCAU;Susteen USB Cable USB Driver;h:\windows\system32\drivers\sustucau.sys [2007-4-4 21376]
S3 TMPassthru;Trend Micro Passthru Ndis Service;h:\windows\system32\drivers\TMPassthru.sys [2010-2-24 206608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;h:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2099-07-09 05:22:02 -------- d-----w- h:\program files\common files\Insight Software Solutions
2099-07-09 05:22:01 -------- d-----w- h:\program files\Macro Express3
2020-11-03 13:37:15 -------- d-----w- h:\program files\SlySoft
2011-02-26 17:14:32 98816 ----a-w- h:\temp\3a.tmp\SED.DAT
2011-02-26 17:14:32 89088 ----a-w- h:\temp\3a.tmp\MBR.DAT
2011-02-26 17:14:32 518144 ----a-w- h:\temp\3a.tmp\SWREG.DAT
2011-02-26 17:14:32 256512 ----a-w- h:\temp\3a.tmp\PEV.DAT
2011-02-26 16:59:17 355056 ----a-w- h:\temp\SSUPDATE.EXE
2011-02-26 16:14:51 371544 ----a-w- h:\windows\system32\drivers\aswSnx.sys
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\repository\FS
2011-02-26 15:52:21 -------- d-----w- h:\windows\system32\wbem\Repository
2011-02-26 15:50:25 -------- d-----w- h:\program files\EVE Metrics Uploader
2011-02-26 15:50:19 -------- d-sh--w- H:\$RECYCLE.BIN
2011-02-25 04:37:44 -------- d-----w- h:\docume~1\deb\applic~1\Malwarebytes
2011-02-25 04:26:34 38224 ----a-w- h:\windows\system32\drivers\mbamswissarmy.sys
2011-02-25 04:26:32 -------- d-----w- h:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-02-25 04:26:28 20952 ----a-w- h:\windows\system32\drivers\mbam.sys
2011-02-25 04:26:28 -------- d-----w- h:\program files\Malwarebytes' Anti-Malware
2011-02-18 07:02:21 -------- d-----w- H:\AutoCad
2011-02-10 01:10:54 1716297 ----a-w- h:\windows\system32\InetClnt.dll
2011-01-31 04:58:00 -------- d-----w- h:\program files\Rhinoceros 4.0
==================== Find3M ====================
2011-02-23 15:04:21 40648 ----a-w- h:\windows\avastSS.scr
2011-01-21 14:44:37 439296 ----a-w- h:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- h:\windows\system32\atmfd.dll
2011-01-05 03:13:02 57344 ----a-w- h:\windows\system32\aticalrt.dll
2011-01-05 03:12:52 53248 ----a-w- h:\windows\system32\aticalcl.dll
2011-01-05 03:11:42 4489216 ----a-w- h:\windows\system32\aticaldd.dll
2011-01-05 03:11:14 17084416 ----a-w- h:\windows\system32\atioglxx.dll
2011-01-05 03:00:30 462848 ----a-w- h:\windows\system32\ATIDEMGX.dll
2011-01-05 02:59:24 302080 ----a-w- h:\windows\system32\ati2dvag.dll
2011-01-05 02:53:36 311296 ----a-w- h:\windows\system32\atiiiexx.dll
2011-01-05 02:53:16 4021984 ----a-w- h:\windows\system32\ati3duag.dll
2011-01-05 02:46:12 1112576 ----a-w- h:\windows\system32\ativvamv.dll
2011-01-05 02:39:46 212992 ----a-w- h:\windows\system32\atipdlxx.dll
2011-01-05 02:39:32 155648 ----a-w- h:\windows\system32\Oemdspif.dll
2011-01-05 02:39:22 26112 ----a-w- h:\windows\system32\Ati2mdxx.exe
2011-01-05 02:39:14 43520 ----a-w- h:\windows\system32\ati2edxx.dll
2011-01-05 02:39:02 188416 ----a-w- h:\windows\system32\ati2evxx.dll
2011-01-05 02:37:32 638976 ----a-w- h:\windows\system32\ati2evxx.exe
2011-01-05 02:36:54 2670464 ----a-w- h:\windows\system32\ativvaxx.dll
2011-01-05 02:36:00 53248 ----a-w- h:\windows\system32\ATIDDC.DLL
2011-01-05 02:35:12 143360 ----a-w- h:\windows\system32\atiapfxx.exe
2011-01-05 02:31:10 651264 ----a-w- h:\windows\system32\atikvmag.dll
2011-01-05 02:29:18 196608 ----a-w- h:\windows\system32\atiadlxx.dll
2011-01-05 02:28:52 17408 ----a-w- h:\windows\system32\atitvo32.dll
2011-01-05 02:28:18 471040 ----a-w- h:\windows\system32\atiok3x2.dll
2011-01-05 02:22:50 851968 ----a-w- h:\windows\system32\ati2cqag.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\atimpc32.dll
2011-01-05 02:20:56 64512 ----a-w- h:\windows\system32\amdpcom32.dll
2010-12-31 13:10:33 1854976 ----a-w- h:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- h:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- h:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- h:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- h:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- h:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- h:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- h:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- h:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- h:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- h:\windows\system32\ntkrnlpa.exe
2010-12-07 19:14:06 51200 ----a-w- h:\windows\system32\OpenCL.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD5000AAKB-00H8A0 rev.05.04E05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-18
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x8A5CDB78]<<
_asm { MOV EAX, 0x8a5cda98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x8a5d0c94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A51F670]
\Driver\Disk[0x8A537A08] -> IRP_MJ_CREATE -> 0x8A5CDB78
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x8a5cdb78
user & kernel MBR OK
Warning: possible MBR rootkit infection !
============= FINISH: 10:15:35.23 ===============
ATTACH.EXE
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-12-12.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/28/2008 9:10:16 PM
System Uptime: 2/26/2011 9:56:59 AM (1 hours ago)
Motherboard: ASUSTeK Computer INC. | | M2V-X
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | SOCKET AM2 | 2999/200mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (FAT32) - 60 GiB total, 11.498 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 7.445 GiB free.
E: is FIXED (NTFS) - 20 GiB total, 15.776 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is FIXED (NTFS) - 360 GiB total, 188.616 GiB free.
I: is FIXED (NTFS) - 26 GiB total, 15.648 GiB free.
J: is CDROM ()
M: is FIXED (NTFS) - 213 GiB total, 14.871 GiB free.
P: is FIXED (NTFS) - 149 GiB total, 0.368 GiB free.
T: is NetworkDisk (NTFS) - 292 GiB total, 43.171 GiB free.
==== Disabled Device Manager Items =============
Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&0
Service:
==== System Restore Points ===================
RP1: 2/24/2011 9:43:15 PM - System Checkpoint
RP2: 2/25/2011 7:01:25 AM - Installed HiJackThis
RP3: 2/26/2011 8:34:02 AM - Restore Operation
RP4: 2/26/2011 8:48:57 AM - Restore Operation
==== Hosts File Hijack ======================
Hosts: 127.0.0.1 www.avast.com
Hosts: 127.0.0.1 www.avg.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.eset.com
Hosts: 127.0.0.1 www.f-secure.com
Hosts: 127.0.0.1 www.grisoft.com
Hosts: 127.0.0.1 www.kaspersky.com
Hosts: 127.0.0.1 www.mcafee.com
Hosts: 127.0.0.1 www.microsoft.com
Hosts: 127.0.0.1 www.pandasecurity.com
Hosts: 127.0.0.1 www.sophos.com
Hosts: 127.0.0.1 www.symantec.com
Hosts: 127.0.0.1 www.trendmicro.com
Hosts: 127.0.0.1 www.viruslist.com
Hosts: 127.0.0.1 www.virustotal.com
==== Installed Programs ======================
µTorrent
7-Zip 4.65
AC-3 ACM Codec
Acronis*True*Image*WD*Edition
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.6
Amazon Games & Software Downloader
AMD CPUInfo
AMD Power Monitor
AMD Processor Driver
Apple Software Update
ASUS Wireless Router WL-520GC Utilities
ASUSUpdate
ATI Catalyst Install Manager
ATI Stream SDK v2 Developer
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Auto Gordian Knot 2.55
AutoCAD 2002
AutoHotkey 1.0.48.03
AutoUpdate
avast! Free Antivirus
AviSynth 2.5
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
BitPim 1.0.7
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CloneDVD2
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Contribtastic 2.0-alpha
Cool & Quiet
CPUID HWMonitor 1.15
DAO
Data Lifeguard Diagnostic for Windows
Data Lifeguard Tools
Defraggler
DIKO 2.47
DivX
Download Accelerator Plus (DAP)
Driver Sweeper 1.5.5
Dual-Core Optimizer
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 6.2.1.8 (31/12/2009)
DVDFab 7.0.9.3 (08/08/2010)
DVDFab 8.0.3.2 (30/10/2010)
DWGeditor
EASEUS Partition Master 6.1.1 Home Edition
eDrawings 2006
EVE Metrics Uploader
EVE Online (remove only)
EveHQ
EVEMon
ffdshow [rev 3154] [2009-12-09]
Fomine WinPopup 1.5
Free Video to iPod Converter version 3.1
FreeRIP v3.30
Google Chrome
Google Earth
Google Update Helper
H-BOT EVE-Pilot
HandBrake 0.9.5
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP USB Disk Storage Format Tool
IrfanView (remove only)
IsoBuster 2.3
Java(TM) 6 Update 17
LimeWire 5.5.8
Logitech QuickCam for Enterprise
Logitech QuickCam for Enterprise Driver Package
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft ActiveSync 3.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 8.0 Support DLLs
Motorola Driver Installation 4.2.0
MP3 Tester Demo
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero - Burning Rom
NVTweak
PC Probe II
PDFCreator
PeerBlock 1.1 (r518)
Platform
PowerDVD
QuickTime
RAD Video Tools
Realtek High Definition Audio Driver
Recuva
Rhinoceros 3.0
Rhinoceros 3.0 SR3c
Rhinoceros 4.0 SR6
Rhinoceros 4.0 SR8
RSDLite
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
sentinelsystemdriver
SightSpeed
Skype Toolbars
Skype™ 5.0
SolidWorks 2006 SP0
SolidWorks eDrawings 2011
Speccy
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware
System Requirements Lab
The Lord of the Rings FREE Trial
thinkorswim
thinkorswim from TD AMERITRADE
Timex Data Link USB
Trend Micro RUBotted
TurboTax 2008
TurboTax 2008 waziper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 waziper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Tweakui Powertoy for Windows XP
UGS NX 6.0
UGSLicensing
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Ventrilo Client
VIA Platform Device Manager
Videora iPod Converter 5.04
VNC Free Edition 4.1.2
VobSub v2.23 (Remove Only)
WebFldrs XP
Wii Video 9 6
Winamp
Winamp Detector Plug-in
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 9 Series TweakMP PowerToy
Windows Support Tools
WinFF 1.1
WinRAR archiver
WinZip
XviD MPEG4 Video Codec (remove only)
YouTube Downloader App 3.00
==== Event Viewer Messages From Past Week ========
2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The UGS License Server (ugslmd) service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7034] - The Trend Micro RUBotted Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:03 AM, error: Service Control Manager [7031] - The MotoConnect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 6000 milliseconds: Restart the service.
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 9:55:02 AM, error: Service Control Manager [7034] - The Acronis Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
2/26/2011 8:59:46 AM, error: Service Control Manager [7022] - The avast! Antivirus service hung on starting.
2/26/2011 8:48:37 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi ElbyCDIO Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip V2IMount
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2/26/2011 8:48:37 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2/25/2011 7:58:18 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
2/25/2011 7:15:43 AM, error: Service Control Manager [7034] - The VRAID Log Service service terminated unexpectedly. It has done this 1 time(s).
2/25/2011 12:53:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp1 ViaIde
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The Specialized PCD WDM VBI Codec service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI WDM Teletext Decoder service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder TV Tuner service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 12:53:31 AM, error: Service Control Manager [7000] - The ATI TV Wonder Audio Crossbar service failed to start due to the following error: The system cannot find the file specified.
2/25/2011 1:23:23 AM, error: Service Control Manager [7001] - The Network DDE service depends on the Network DDE DSDM service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/25/2011 1:23:23 AM, error: Service Control Manager [7000] - The ATI TV Wonder Video Capture service failed to start due to the following error: The system cannot find the file specified.
2/24/2011 9:04:54 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
2/24/2011 2:41:59 PM, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
2/22/2011 6:00:59 AM, error: sptd [4] - Driver detected an internal error in its data structures for .
2/21/2011 4:26:00 PM, error: TermServDevices [1111] - Driver hp LaserJet 3015 PCL 6 required for printer !!FRONTDESK!hp LaserJet 3015 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver HP Designjet 500PS 24 by HP required for printer HP 500 is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:58 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series (FAX) required for printer FAX (Canon) is unknown. Contact the administrator to install the driver before you log in again.
2/21/2011 4:25:50 PM, error: TermServDevices [1111] - Driver Canon MF5700 Series required for printer Canon Laser is unknown. Contact the administrator to install the driver before you log in again.
==== End Of File ===========================