Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Redirected in search engine

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Redirected in search engine

Unread postby Cypher » March 6th, 2010, 3:08 pm

Hi Diane.
Sorry for the confusion.
Just Double click on the erunt-setup icon on your desktop.
keep selecting Next then select install when it comes up.
Then it will say Create ERUNT entry in to the Start up folder, answer NO
Then just follow the prompts to create the backup.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Re: Redirected in search engine

Unread postby barryndiane » March 6th, 2010, 4:27 pm

Ok here's the log from combofix. My computer seems to be moving a little faster, however it always does right after it is rebooted. It is still redirecting in google.

ComboFix 10-03-06.01 - Owner 03/06/2010 14:04:18.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.607.333 [GMT -6:00]
Running from: C:\cypher.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Personal Firewall *disabled* {E641AC2D-955F-4A05-ABE7-F9C534ABDB46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\confin.sys
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\documents and settings\Owner\Application Data\SystemProc
c:\documents and settings\Owner\Start Menu\Internet Security 2010.lnk
c:\program files\InternetSecurity2010
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\program files\MySearch
c:\program files\MySearch\bar\1.bin\S4BAR.DLL
c:\program files\MySearch\bar\1.bin\S4UNSETP.HTA
c:\program files\MySearch\bar\1.bin\UNINSTALL.INF
c:\program files\NavExcel
c:\program files\NavExcel\NavHelper\v2.0.4d\NHelper.htm
c:\program files\screensavers.com
c:\program files\screensavers.com\Installer\bin\siuninst.exe
C:\s
c:\windows\Downloaded Program Files\poPCaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\13122762541.dll
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\18716.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\21238.exe
c:\windows\system32\21726.exe
c:\windows\system32\2437.exe
c:\windows\system32\292.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\38.exe
c:\windows\system32\3902.exe
c:\windows\system32\41.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\6334.exe
c:\windows\system32\7719.exe
c:\windows\system32\8855.exe
c:\windows\system32\9961.exe
c:\windows\system32\config\45169978.Evt
c:\windows\system32\helper32.dll
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\ps2.bat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_asc3550p


((((((((((((((((((((((((( Files Created from 2010-02-06 to 2010-03-06 )))))))))))))))))))))))))))))))
.

2010-03-06 19:47 . 2010-03-06 19:47 4121277 ----a-r- C:\cypher.exe
2010-03-06 19:41 . 2010-03-06 19:43 -------- d-----w- c:\program files\ERUNT
2010-03-05 20:09 . 2010-03-05 20:10 1137360 ----a-w- C:\fsbl.exe
2010-03-02 21:38 . 2010-03-02 21:40 -------- d-----w- C:\rsit
2010-02-24 21:47 . 2010-02-24 21:47 -------- d-----w- c:\program files\Trend Micro
2010-02-24 16:20 . 2010-02-26 18:35 -------- d-----w- c:\program files\Total PC Defender
2010-02-23 22:48 . 2010-02-23 22:48 44784 ----a-w- c:\documents and settings\barryndiane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 22:44 . 2010-02-23 22:44 -------- d-sh--w- c:\documents and settings\barryndiane\IECompatCache
2010-02-23 22:43 . 2010-02-23 22:43 -------- d-sh--w- c:\documents and settings\barryndiane\PrivacIE
2010-02-15 22:46 . 2003-11-24 21:20 0 ---ha-w- c:\documents and settings\Guest\hpothb07.dat
2010-02-15 19:31 . 2009-11-25 19:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-15 19:07 . 2010-02-15 19:11 -------- d-----w- C:\$AVG
2010-02-15 19:06 . 2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-15 19:06 . 2010-02-15 19:06 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-15 19:06 . 2010-02-15 19:06 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-15 19:06 . 2010-02-15 19:06 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-15 19:06 . 2010-03-06 14:37 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-15 19:06 . 2010-02-15 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\program files\AVG
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 02:40 . 2010-02-15 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 02:40 . 2010-02-14 02:40 -------- d-----w- c:\program files\Hard Disk Tune-Up
2010-02-14 00:44 . 2010-02-14 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2010-02-14 00:44 . 2010-02-14 00:45 -------- d-----w- c:\program files\MemTurbo 4
2010-02-14 00:44 . 2010-02-14 01:46 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-02-13 23:57 . 2010-02-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-13 01:41 . 2010-02-13 01:41 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-23 23:33 . 2003-11-25 00:14 984 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat
2010-02-23 23:33 . 2003-11-25 00:14 413696 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll
2010-02-23 23:33 . 2003-11-25 00:14 311296 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll
2010-02-23 22:19 . 2009-11-19 02:27 -------- d-----w- c:\program files\McAfee Security Scan
2010-02-15 18:23 . 2003-08-25 15:01 44784 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 18:23 . 2003-04-10 10:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-14 00:01 . 2003-04-10 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-13 01:21 . 2004-08-21 00:19 -------- d-----w- c:\documents and settings\Owner\Application Data\WeatherBug
2010-01-08 18:08 . 2009-11-30 14:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-16 18:19 . 2009-12-16 18:19 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2005-07-09 22:22 . 2005-07-09 22:22 774144 -c--a-w- c:\program files\RngInterstitial.dll
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\{A217E0A5-7FF5-46B6-914D-92B83D14BDDA}.dat
2005-01-08 09:00 . 2005-01-08 09:00 56 -csh--r- c:\windows\system32\C70B12D71A.sys
2005-01-08 09:00 . 2005-01-08 09:00 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\system32\{CD0490BD-D74F-4446-82D9-0E27308FDBD8}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2004-07-30 1593344]
"TeamOnPwpUpdater-TMPwpCli"="c:\program files\TMobile\PwpUpdtr.exe" [2003-10-06 81920]
"PromptCast"="c:\program files\PromptCast\PromptCast.exe" [2004-05-04 221184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Drempels Desktop.lnk - c:\windows\drempels.exe [2001-4-6 196608]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2010-2-13 3121760]
PowerReg SchedulerV2.exe [2003-8-27 256000]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-4-10 16384]
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2003-8-23 73728]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2003-11-27 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2010 1:06 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2010 1:06 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/15/2010 1:05 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/15/2010 1:05 PM 285392]
R2 ccPxySvc;Symantec Proxy Service;c:\program files\Norton Personal Firewall\CCPXYSVC.EXE [9/8/2003 1:49 PM 34040]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up;c:\program files\Hard Disk Tune-Up\HDTuneUpSrv.exe [2/13/2010 8:40 PM 441344]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-02-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-04-26 07:56]

2010-03-06 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2010-03-06 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://qus8.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
LSP: SpSubLSP.dll
Trusted Zone: 3dcartstores.com\nwpublicsafetysupply
Trusted Zone: aol.com\free
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: craigslist.org\www
Trusted Zone: ebay.com\www
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: youtube.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} - hxxps://myemail.t-mobile.com/html/web/c ... Client.cab
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} - hxxp://xms.keynote.com/applications/con ... uncher.cab
DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - hxxp://www.surveys.com/promptcast/Insta ... 0SETUP.cab
DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} - hxxp://www.pulse3d.com/players/english/ ... 2AxWin.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Explorer_Run-RTHDBPL - c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper.dll
AddRemove-Total PC Defender - c:\program files\Total PC Defender\Total PC Defender.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-06 14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Owner\Application Data\SystemProc\lsass.exe???????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF8AF9C51]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87e3fc3
\Driver\ACPI -> ACPI.sys @ 0xf8756cb8
\Driver\atapi -> atapi.sys @ 0xf870e7b4
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf85e2af9
PacketIndicateHandler -> NDIS.sys @ 0xf85edb21
SendHandler -> NDIS.sys @ 0xf85e2938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\SpSubLSP.dll

- - - - - - - > 'explorer.exe'(15424)
c:\docume~1\Owner\LOCALS~1\Temp\IadHide4.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Norton Personal Firewall\NISUM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Softex\OmniPass\Omniserv.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-06 14:22:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-06 20:22

Pre-Run: 27,318,161,408 bytes free
Post-Run: 27,244,138,496 bytes free

- - End Of File - - 8249646B4598C3939EDF9AF444F4EDD5
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby Cypher » March 6th, 2010, 5:01 pm

Hi Diane.
Please continue with the instructions below.


TDSSKiller
  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below, Do not include the word Code:
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • A log file should be created on your desktop called tdskiller.txt, Please post the contents of that log in your next reply.



Logs/Information to Post in your Next Reply

  • TDSSKiller log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirected in search engine

Unread postby barryndiane » March 6th, 2010, 5:23 pm

15:13:02:015 14984 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:13:02:015 14984 ================================================================================
15:13:02:015 14984 SystemInfo:

15:13:02:015 14984 OS Version: 5.1.2600 ServicePack: 2.0
15:13:02:015 14984 Product type: Workstation
15:13:02:015 14984 ComputerName: BARRY
15:13:02:031 14984 UserName: Owner
15:13:02:031 14984 Windows directory: C:\WINDOWS
15:13:02:031 14984 Processor architecture: Intel x86
15:13:02:031 14984 Number of processors: 1
15:13:02:031 14984 Page size: 0x1000
15:13:02:031 14984 Boot type: Normal boot
15:13:02:031 14984 ================================================================================
15:13:02:031 14984 UnloadDriverW: NtUnloadDriver error 2
15:13:02:031 14984 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:13:02:109 14984 Initialize success
15:13:02:109 14984
15:13:02:109 14984 Scanning Services ...
15:13:02:109 14984 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:13:02:109 14984 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:13:02:109 14984 wfopen_ex: Trying to KLMD file open
15:13:02:109 14984 wfopen_ex: File opened ok (Flags 2)
15:13:02:109 14984 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:13:02:125 14984 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:13:02:125 14984 wfopen_ex: Trying to KLMD file open
15:13:02:125 14984 wfopen_ex: File opened ok (Flags 2)
15:13:02:718 14984 GetAdvancedServicesInfo: Raw services enum returned 330 services
15:13:02:718 14984 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:13:02:718 14984 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:13:02:718 14984
15:13:02:718 14984 Scanning Kernel memory ...
15:13:02:718 14984 Devices to scan: 3
15:13:02:718 14984
15:13:02:718 14984 Driver Name: Disk
15:13:02:718 14984 IRP_MJ_CREATE : F87E5C30
15:13:02:718 14984 IRP_MJ_CREATE_NAMED_PIPE : 804FCAB1
15:13:02:718 14984 IRP_MJ_CLOSE : F87E5C30
15:13:02:718 14984 IRP_MJ_READ : F87DFD9B
15:13:02:718 14984 IRP_MJ_WRITE : F87DFD9B
15:13:02:718 14984 IRP_MJ_QUERY_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_EA : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_EA : 804FCAB1
15:13:02:718 14984 IRP_MJ_FLUSH_BUFFERS : F87E0366
15:13:02:718 14984 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_VOLUME_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_DIRECTORY_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_FILE_SYSTEM_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_DEVICE_CONTROL : F87E044D
15:13:02:718 14984 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87E3FC3
15:13:02:718 14984 IRP_MJ_SHUTDOWN : F87E0366
15:13:02:718 14984 IRP_MJ_LOCK_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_CLEANUP : 804FCAB1
15:13:02:718 14984 IRP_MJ_CREATE_MAILSLOT : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_SECURITY : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_SECURITY : 804FCAB1
15:13:02:718 14984 IRP_MJ_POWER : F87E1EF3
15:13:02:718 14984 IRP_MJ_SYSTEM_CONTROL : F87E6A24
15:13:02:718 14984 IRP_MJ_DEVICE_CHANGE : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_QUOTA : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_QUOTA : 804FCAB1
15:13:02:718 14984 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:13:02:718 14984 sion
15:13:02:718 14984 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:13:02:718 14984
15:13:02:718 14984 Driver Name: Disk
15:13:02:718 14984 IRP_MJ_CREATE : F87E5C30
15:13:02:718 14984 IRP_MJ_CREATE_NAMED_PIPE : 804FCAB1
15:13:02:718 14984 IRP_MJ_CLOSE : F87E5C30
15:13:02:718 14984 IRP_MJ_READ : F87DFD9B
15:13:02:718 14984 IRP_MJ_WRITE : F87DFD9B
15:13:02:718 14984 IRP_MJ_QUERY_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_EA : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_EA : 804FCAB1
15:13:02:718 14984 IRP_MJ_FLUSH_BUFFERS : F87E0366
15:13:02:718 14984 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_VOLUME_INFORMATION : 804FCAB1
15:13:02:718 14984 IRP_MJ_DIRECTORY_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_FILE_SYSTEM_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_DEVICE_CONTROL : F87E044D
15:13:02:718 14984 IRP_MJ_INTERNAL_DEVICE_CONTROL : F87E3FC3
15:13:02:718 14984 IRP_MJ_SHUTDOWN : F87E0366
15:13:02:718 14984 IRP_MJ_LOCK_CONTROL : 804FCAB1
15:13:02:718 14984 IRP_MJ_CLEANUP : 804FCAB1
15:13:02:718 14984 IRP_MJ_CREATE_MAILSLOT : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_SECURITY : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_SECURITY : 804FCAB1
15:13:02:718 14984 IRP_MJ_POWER : F87E1EF3
15:13:02:718 14984 IRP_MJ_SYSTEM_CONTROL : F87E6A24
15:13:02:718 14984 IRP_MJ_DEVICE_CHANGE : 804FCAB1
15:13:02:718 14984 IRP_MJ_QUERY_QUOTA : 804FCAB1
15:13:02:718 14984 IRP_MJ_SET_QUOTA : 804FCAB1
15:13:02:718 14984 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:13:02:718 14984 sion
15:13:02:734 14984 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:13:02:734 14984
15:13:02:734 14984 Driver Name: atapi
15:13:02:734 14984 IRP_MJ_CREATE : F8712572
15:13:02:734 14984 IRP_MJ_CREATE_NAMED_PIPE : 804FCAB1
15:13:02:734 14984 IRP_MJ_CLOSE : F8712572
15:13:02:734 14984 IRP_MJ_READ : 804FCAB1
15:13:02:734 14984 IRP_MJ_WRITE : 804FCAB1
15:13:02:734 14984 IRP_MJ_QUERY_INFORMATION : 804FCAB1
15:13:02:734 14984 IRP_MJ_SET_INFORMATION : 804FCAB1
15:13:02:734 14984 IRP_MJ_QUERY_EA : 804FCAB1
15:13:02:734 14984 IRP_MJ_SET_EA : 804FCAB1
15:13:02:734 14984 IRP_MJ_FLUSH_BUFFERS : 804FCAB1
15:13:02:734 14984 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FCAB1
15:13:02:734 14984 IRP_MJ_SET_VOLUME_INFORMATION : 804FCAB1
15:13:02:734 14984 IRP_MJ_DIRECTORY_CONTROL : 804FCAB1
15:13:02:734 14984 IRP_MJ_FILE_SYSTEM_CONTROL : 804FCAB1
15:13:02:734 14984 IRP_MJ_DEVICE_CONTROL : F8712592
15:13:02:734 14984 IRP_MJ_INTERNAL_DEVICE_CONTROL : F870E7B4
15:13:02:734 14984 IRP_MJ_SHUTDOWN : 804FCAB1
15:13:02:734 14984 IRP_MJ_LOCK_CONTROL : 804FCAB1
15:13:02:734 14984 IRP_MJ_CLEANUP : 804FCAB1
15:13:02:734 14984 IRP_MJ_CREATE_MAILSLOT : 804FCAB1
15:13:02:734 14984 IRP_MJ_QUERY_SECURITY : 804FCAB1
15:13:02:734 14984 IRP_MJ_SET_SECURITY : 804FCAB1
15:13:02:734 14984 IRP_MJ_POWER : F87125BC
15:13:02:734 14984 IRP_MJ_SYSTEM_CONTROL : F8719164
15:13:02:734 14984 IRP_MJ_DEVICE_CHANGE : 804FCAB1
15:13:02:734 14984 IRP_MJ_QUERY_QUOTA : 804FCAB1
15:13:02:734 14984 IRP_MJ_SET_QUOTA : 804FCAB1
15:13:02:734 14984 siohd: 0
15:13:02:734 14984 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
15:13:02:734 14984
15:13:02:734 14984 Completed
15:13:02:734 14984
15:13:02:734 14984 Results:
15:13:02:734 14984 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:13:02:734 14984 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:13:02:734 14984 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:13:02:734 14984
15:13:02:734 14984 KLMD(ARK) unloaded successfully
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby Cypher » March 7th, 2010, 7:15 am

Hi Diane.
There are a few things to do here, just take your time you will be fine :)

Add/Remove programs
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the following.
WeatherBug
WildTangent Web Driver


Next.

Disable AVG9

  • Open AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.
  • Note: Don't forget to re-enable it after the fix.

Next.

ComboFix - CFScript
This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
  1. Please open Notepad and copy/paste all the text below... into the window:
    Code: Select all
    Folder::
    c:\program files\Total PC Defender
    c:\documents and settings\Owner\Application Data\WeatherBug
    c:\program files\AWS
    C:\Program Files\Ares
    
    Registry::
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "RTHDBPL"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Weather"=-
    "ares"=-
    "smss32.exe"=-
    "Internet Security 2010"=-
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Program Files\Ares\Ares.exe"=-
    
    
    
  2. Save it to your desktop as CFScript.txt
  3. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
    *Only* when the 2 items above (Step 3) have been taken care of...
  4. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
    Image
    This will cause ComboFix to run again.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
    Do Not touch your computer when ComboFix is running!
  5. When finished ComboFix will create a log file... you can save this file to a convenient place.
Please copy/paste the ComboFix log file in your next reply.

Next.

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Next.

Re-run - RSIT (Random's System Information Tool)

You should still have this program on your desktop.
  • Double click on RSIT.exe to run it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
  • Please post ONLY the "log.txt", file contents in your next reply.
    (This log can be lengthy, so a separate post may be needed.)


Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Malwarebytes log.
  • RSIT log.txt.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirected in search engine

Unread postby barryndiane » March 7th, 2010, 2:45 pm

ComboFix 10-03-06.08 - Owner 03/07/2010 12:09:15.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.607.344 [GMT -6:00]
Running from: C:\cypher.exe
Command switches used :: C:\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Personal Firewall *disabled* {E641AC2D-955F-4A05-ABE7-F9C534ABDB46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\WeatherBug
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_Allergy-09.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_ColdFlu_Haiti.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_ColdFlu_SnowSki_Plus.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_Disney_2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_Disney_3.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_NWF.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96_Unicef2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96AchieveTile.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96BlowoutSale.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96BlowoutSalev2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96FOG_Lightning.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96FreeTrial.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96IvanTeam.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96Ryan.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96UniqueGift.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96uniquegifts.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96vidgallery.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96vidgallery2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless10.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless12.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless13.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless18.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless20.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless21.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless22.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless24.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless27.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless4.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless5.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless6.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless8.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\102x96wireless9.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\2009_Fall_SMS_DefaultWrap_Bubble_APPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\2009_Fall_SMS_DefaultWrap_Bubble_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\2009_Thanksgiving.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\2009_Thanksgiving_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\528b.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_blueyellow.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_blueyellow_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_blueyellow_nav.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_blueyellow_nav_traffic.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_APPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_cherryb_approved.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_cherryb_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_mobile.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_mobile_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_Mobile_MASK_bubble.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_MobileAPPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_plus.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_PLUS_AP_Holiday.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_plus_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_PLUS_MASK_Holiday.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_pws.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_pws_mask_new.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_spring2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_spring2_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_valAPPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_valMASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_winter_PLUS.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_brandwrap_winter_Plus_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Default_Spring_Mobile_BG_0506.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Default_Spring_Mobile_MASK_0506.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_default_winter_0106_Background.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_default_winter_0106_bg_updated.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_default_winter_0106_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_fall_mobile1_new.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_fall_mobile2_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_fallbrandwrap_mobile1.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_fallbrandwrap_mobile2B.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_fallbrandwrap_plus.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_fallbrandwrap_plus_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Fixed_BRWP_valMASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_FixedBRWP_valAPPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Forecast_BG_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Forecast_MASK_0206.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Photo_Approved.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Photo_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Sun_0306_Final.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic_Sun_0306_Final.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic2005_Final.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Generic2005_Final.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_GenericRadarMaps_Final.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_GenericRadarMaps_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_GroundhogDay_2010.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_GroundhogDay_2010_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_nav_dark_round_1105.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_nav_light_round_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_nav_light_square_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Shamrock-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60_Shamrock.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Share_alert_tab2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60_Share_alert_tab2_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\603a.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\605_NewDefault-maskl.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\605_NewDefault.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60brandwrap.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60brandwrap_plus.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Default-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Default.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60fall_mobiletile.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Mktg-Enterprise-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Mktg-Enterprise.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60nav_dark_round.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60nav_Generic2005.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60nav_Generic2005_1.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60nav_light_square.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60nav_light_square1.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-AmexUP-SP-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-AmexUP-SP.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Bose.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Bose_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Campbells-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Campbells.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Castrol-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Castrol.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Catepillar_maskNew.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-CatepillarNew.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Nexium6-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Nexium6.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Suzuki_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Suzuki_shell.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Wyndham-mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales-Wyndham.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60sales_ESUVEE_approved.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60sales_ESUVEE_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_historychannel_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_historychannel_shell.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_monopoly_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_monopoly_shell.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_Strattera_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\60Sales_Strattera_shell.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Chamberlain.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Chamberlain_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Default_NationalTile_Tip.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\disney_wrap.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\disney_wrap_background.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Fall_DefaultWrap_Bubble_APPROVED_1109.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Fall_DefaultWrap_Bubble_APPROVED_1209.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Fall_DefaultWrap_Bubble_MASK_1109.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Fall_DefaultWrap_Bubble_MASK_1209.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Free_topnav_sqr_WxStore.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Free_topnav_WxStore.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\GoldTopNav_Wireless_Round.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\GoldTopNav_Wireless_sq.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Holiday0110.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Holiday0110_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Holiday2009.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Holiday2009_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\HurricaneRelief.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\katrina.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\KatrinaRelief.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\leftnav_605Generic.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\LocalWeather.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\LocalWeather_Mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\MasterCard_APPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\MasterCard_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\nav_07182007.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_alt2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_Generic_Forecast_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_Generic_Photos_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_Generic_Radar_0206.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_Generic2005_0106.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_Generic2006.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_square.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_square_traffic.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\nav_square2.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\newkatrina.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\NewYears2010_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\NewYears2010_v3.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\NWS_102x96_2.jpeg
c:\documents and settings\Owner\Application Data\WeatherBug\pwstile.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\rita.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Robitussin.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Robitussin_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorFreeTrial.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile28b.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\sponsortile34.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile37.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile38.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile39.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile40.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SponsorTile42.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\SurveyAIMTile.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Takeda_APPROVED.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Takeda_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\team102x96.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_605Generic.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_Business.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\TopNav_Free_Round_Green.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\TopNav_Free_Sq_Green.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_Generic2005.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_Generic2005_121505.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_round.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_round_121505.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_square_121505.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_stations_generic.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_stations_round.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\topnav_stations_square.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\TopNav_Wireless_round.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\TopNav_Wireless_square.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\ValentinesDay0210.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Video21_60_nav_dark_square.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Video21_nav_Generic2005.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\visaNFL.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\visaNFL_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Walgreens.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Walgreens_mask.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\wilma.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Winter0110_Approved.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Winter0110_MASK.bmp
c:\documents and settings\Owner\Application Data\WeatherBug\Winter0210_Approved.jpg
c:\documents and settings\Owner\Application Data\WeatherBug\Winter0210_MASK.bmp
c:\program files\Ares
c:\program files\Ares\My Shared Folder\09-kelis-milkshake-rbg.mp3
c:\program files\AWS
c:\program files\Total PC Defender

.
((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-06 21:08 . 2010-03-06 21:08 -------- d-----w- C:\tdsskiller
2010-03-06 21:07 . 2010-03-06 21:07 154657 ----a-w- C:\tdsskiller.zip
2010-03-06 19:47 . 2010-03-07 17:59 4122037 ----a-r- C:\cypher.exe
2010-03-06 19:41 . 2010-03-06 19:43 -------- d-----w- c:\program files\ERUNT
2010-03-05 20:09 . 2010-03-05 20:10 1137360 ----a-w- C:\fsbl.exe
2010-03-02 21:38 . 2010-03-02 21:40 -------- d-----w- C:\rsit
2010-02-24 21:47 . 2010-02-24 21:47 -------- d-----w- c:\program files\Trend Micro
2010-02-23 22:48 . 2010-02-23 22:48 44784 ----a-w- c:\documents and settings\barryndiane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 22:44 . 2010-02-23 22:44 -------- d-sh--w- c:\documents and settings\barryndiane\IECompatCache
2010-02-23 22:43 . 2010-02-23 22:43 -------- d-sh--w- c:\documents and settings\barryndiane\PrivacIE
2010-02-15 22:46 . 2003-11-24 21:20 0 ---ha-w- c:\documents and settings\Guest\hpothb07.dat
2010-02-15 19:31 . 2009-11-25 19:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-15 19:07 . 2010-02-15 19:11 -------- d-----w- C:\$AVG
2010-02-15 19:06 . 2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-15 19:06 . 2010-02-15 19:06 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-15 19:06 . 2010-02-15 19:06 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-15 19:06 . 2010-02-15 19:06 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-15 19:06 . 2010-03-07 14:49 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-15 19:06 . 2010-02-15 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\program files\AVG
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 02:40 . 2010-02-15 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 02:40 . 2010-02-14 02:40 -------- d-----w- c:\program files\Hard Disk Tune-Up
2010-02-14 00:44 . 2010-02-14 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2010-02-14 00:44 . 2010-02-14 00:45 -------- d-----w- c:\program files\MemTurbo 4
2010-02-14 00:44 . 2010-02-14 01:46 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-02-13 23:57 . 2010-02-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-13 01:41 . 2010-02-13 01:41 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 17:52 . 2003-04-10 10:53 -------- d-----w- c:\program files\WildTangent
2010-02-23 23:33 . 2003-11-25 00:14 984 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat
2010-02-23 23:33 . 2003-11-25 00:14 413696 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll
2010-02-23 23:33 . 2003-11-25 00:14 311296 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll
2010-02-23 22:19 . 2009-11-19 02:27 -------- d-----w- c:\program files\McAfee Security Scan
2010-02-15 18:23 . 2003-08-25 15:01 44784 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 18:23 . 2003-04-10 10:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-14 00:01 . 2003-04-10 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-08 18:08 . 2009-11-30 14:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-16 18:19 . 2009-12-16 18:19 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2005-07-09 22:22 . 2005-07-09 22:22 774144 -c--a-w- c:\program files\RngInterstitial.dll
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\{A217E0A5-7FF5-46B6-914D-92B83D14BDDA}.dat
2005-01-08 09:00 . 2005-01-08 09:00 56 -csh--r- c:\windows\system32\C70B12D71A.sys
2005-01-08 09:00 . 2005-01-08 09:00 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\system32\{CD0490BD-D74F-4446-82D9-0E27308FDBD8}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TeamOnPwpUpdater-TMPwpCli"="c:\program files\TMobile\PwpUpdtr.exe" [2003-10-06 81920]
"PromptCast"="c:\program files\PromptCast\PromptCast.exe" [2004-05-04 221184]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Drempels Desktop.lnk - c:\windows\drempels.exe [2001-4-6 196608]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2010-2-13 3121760]
PowerReg SchedulerV2.exe [2003-8-27 256000]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-4-10 16384]
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2003-8-23 73728]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2003-11-27 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2010 1:06 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2010 1:06 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/15/2010 1:05 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/15/2010 1:05 PM 285392]
R2 ccPxySvc;Symantec Proxy Service;c:\program files\Norton Personal Firewall\CCPXYSVC.EXE [9/8/2003 1:49 PM 34040]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up;c:\program files\Hard Disk Tune-Up\HDTuneUpSrv.exe [2/13/2010 8:40 PM 441344]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-04-26 07:56]

2010-03-07 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2010-03-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://qus8.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
LSP: SpSubLSP.dll
Trusted Zone: 3dcartstores.com\nwpublicsafetysupply
Trusted Zone: aol.com\free
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: craigslist.org\www
Trusted Zone: ebay.com\www
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: youtube.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} - hxxps://myemail.t-mobile.com/html/web/c ... Client.cab
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} - hxxp://xms.keynote.com/applications/con ... uncher.cab
DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - hxxp://www.surveys.com/promptcast/Insta ... 0SETUP.cab
DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} - hxxp://www.pulse3d.com/players/english/ ... 2AxWin.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 12:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xF8AD1C51]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87e3fc3
\Driver\ACPI -> ACPI.sys @ 0xf8756cb8
\Driver\atapi -> atapi.sys @ 0xf870e7b4
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf85e2af9
PacketIndicateHandler -> NDIS.sys @ 0xf85edb21
SendHandler -> NDIS.sys @ 0xf85e2938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2010-03-07 12:18:10
ComboFix-quarantined-files.txt 2010-03-07 18:18
ComboFix2.txt 2010-03-06 20:22

Pre-Run: 27,215,802,368 bytes free
Post-Run: 27,219,750,912 bytes free

- - End Of File - - 650965164A60380E2801F70FBB61D51B
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby barryndiane » March 7th, 2010, 2:54 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3833
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/7/2010 12:32:12 PM
mbam-log-2010-03-07 (12-32-12).txt

Scan type: Quick Scan
Objects scanned: 132789
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{014da6c4-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6c6-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6ca-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{014da6cc-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{014da6c0-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MySearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-is2010.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is10-soft-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\buy-Internetsecurity10.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com\http (Hijack.TrustedZone) -> Bad: (2) Good: (4) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Total PC Defender.lnk (Rogue.TotalPCDefender) -> Quarantined and deleted successfully.
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby barryndiane » March 7th, 2010, 2:55 pm

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2010-03-07 12:40:03
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 26 GB (77%) free of 34 GB
Total RAM: 607 MB (47% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:09 PM, on 3/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hard Disk Tune-Up\HDTuneUpSrv.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TMobile\PwpUpdtr.exe
C:\Program Files\PromptCast\PromptCast.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Documents and Settings\Owner\My Documents\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8.hpwis.com/
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKCU\..\Run: [TeamOnPwpUpdater-TMPwpCli] "C:\Program Files\TMobile\PwpUpdtr.exe" TMPwpCli
O4 - HKCU\..\Run: [PromptCast] C:\Program Files\PromptCast\PromptCast.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo 4\MemTurbo.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://nwpublicsafetysupply.3dcartstores.com
O15 - Trusted Zone: http://www.craigslist.org
O15 - Trusted Zone: http://www.ebay.com
O15 - Trusted Zone: http://www.youtube.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} (TMobile PwpClient DwnLdr Class) - https://myemail.t-mobile.com/html/web/c ... Client.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3950072293
O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Keynote Connector Launcher) - http://xms.keynote.com/applications/con ... uncher.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Insta ... 0SETUP.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wiz ... ctiveX.CAB
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/ ... 2AxWin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b34246.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Hard Disk Tune-Up - Sammsoft - C:\Program Files\Hard Disk Tune-Up\HDTuneUpSrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8290 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\HP Usg Login.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - &Yahoo! Companion - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll [2003-02-06 208974]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2004-12-02 696320]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2005-03-04 172032]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll [2009-03-13 82768]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2009-11-25 1230080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TeamOnPwpUpdater-TMPwpCli"=C:\Program Files\TMobile\PwpUpdtr.exe [2003-10-06 81920]
"PromptCast"=C:\Program Files\PromptCast\PromptCast.exe [2004-05-04 221184]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Compaq Connections.lnk - C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
Image Transfer.lnk - C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
NETGEAR WG111v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
QuickBooks 2002 Delivery Agent.lnk - C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
Drempels Desktop.lnk - C:\WINDOWS\drempels.exe
MemTurbo.lnk - C:\Program Files\MemTurbo 4\MemTurbo.exe
PowerReg SchedulerV2.exe
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-02-15 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-03-11 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll [2003-02-21 40960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe"="C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe:*:Disabled:BackWeb-1940576"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\Program Files\AVG\AVG9\avgemc.exe"="C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

======List of files/folders created in the last 1 months======

2010-03-07 12:24:19 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-03-07 12:24:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-07 12:24:13 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-07 12:23:20 ----A---- C:\mbam-setup.exe
2010-03-07 12:18:13 ----D---- C:\WINDOWS\temp
2010-03-07 12:18:11 ----A---- C:\ComboFix.txt
2010-03-06 15:13:02 ----A---- C:\TDSSKiller.2.2.7.1_06.03.2010_15.13.02_log.txt
2010-03-06 15:11:34 ----A---- C:\TDSSKiller.2.2.7.1_06.03.2010_15.11.34_log.txt
2010-03-06 15:10:53 ----A---- C:\TDSSKiller.2.2.7.1_06.03.2010_15.10.53_log.txt
2010-03-06 15:08:57 ----D---- C:\tdsskiller
2010-03-06 13:55:02 ----A---- C:\WINDOWS\zip.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\SWSC.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\SWREG.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\sed.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\PEV.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\NIRCMD.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\MBR.exe
2010-03-06 13:55:02 ----A---- C:\WINDOWS\grep.exe
2010-03-06 13:54:35 ----AD---- C:\Qoobox
2010-03-06 13:47:36 ----RA---- C:\cypher.exe
2010-03-06 13:43:46 ----D---- C:\WINDOWS\ERDNT
2010-03-06 13:41:59 ----D---- C:\Program Files\ERUNT
2010-03-05 14:09:37 ----A---- C:\fsbl.exe
2010-03-02 15:38:48 ----D---- C:\rsit
2010-02-24 15:47:08 ----D---- C:\Program Files\Trend Micro
2010-02-23 20:20:20 ----D---- C:\Program Files\Mozilla Firefox
2010-02-15 13:07:16 ----D---- C:\$AVG
2010-02-15 13:06:51 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2010-02-15 13:06:04 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 13:05:34 ----D---- C:\Program Files\AVG
2010-02-15 13:05:26 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2010-02-13 20:40:41 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-02-13 20:40:30 ----D---- C:\Program Files\Hard Disk Tune-Up
2010-02-13 18:44:51 ----D---- C:\Documents and Settings\Owner\Application Data\Sammsoft
2010-02-13 18:44:41 ----D---- C:\Program Files\MemTurbo 4
2010-02-13 18:44:37 ----D---- C:\Program Files\Advanced Registry Optimizer
2010-02-13 17:57:13 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller

======List of files/folders modified in the last 1 months======

2010-03-07 12:39:56 ----D---- C:\WINDOWS\Prefetch
2010-03-07 12:36:40 ----D---- C:\WINDOWS
2010-03-07 12:36:40 ----A---- C:\WINDOWS\RTacDbg.txt
2010-03-07 12:33:20 ----D---- C:\WINDOWS\system32\drivers
2010-03-07 12:32:35 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-07 12:24:13 ----RD---- C:\Program Files
2010-03-07 12:15:59 ----A---- C:\WINDOWS\system.ini
2010-03-07 12:13:11 ----D---- C:\WINDOWS\system32
2010-03-07 12:13:11 ----D---- C:\WINDOWS\AppPatch
2010-03-07 12:13:03 ----D---- C:\Program Files\Common Files
2010-03-07 12:09:08 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-07 11:52:59 ----D---- C:\Program Files\WildTangent
2010-03-06 14:10:31 ----D---- C:\WINDOWS\system32\config
2010-03-06 14:09:23 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-05 23:52:42 ----D---- C:\WINDOWS\Minidump
2010-02-24 10:31:17 ----SHD---- C:\WINDOWS\Installer
2010-02-23 17:33:21 ----SHD---- C:\System Volume Information
2010-02-23 17:33:21 ----D---- C:\WINDOWS\system32\Restore
2010-02-23 17:19:43 ----D---- C:\WINDOWS\Help
2010-02-23 16:33:45 ----D---- C:\Config.Msi
2010-02-23 16:33:15 ----D---- C:\Documents and Settings
2010-02-23 16:19:30 ----D---- C:\Program Files\McAfee Security Scan
2010-02-19 17:29:35 ----D---- C:\temp
2010-02-15 13:03:03 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-02-15 13:02:53 ----D---- C:\WINDOWS\WinSxS
2010-02-15 12:52:29 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2010-02-15 12:23:18 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-02-13 18:01:52 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2010-02-13 18:01:39 ----SD---- C:\WINDOWS\Tasks
2010-02-13 17:58:50 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-02-12 19:41:17 ----D---- C:\WINDOWS\system32\wbem
2010-02-12 19:41:16 ----D---- C:\WINDOWS\Registration

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-02-15 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-02-15 28424]
R1 AvgTdiX;AVG Free Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-02-15 360584]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2003-03-06 3840]
R1 SYMTDI;SYMTDI; \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-12-16 21035]
R2 EAPPkt;Realtek EAPPkt Protocol; C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2007-10-09 38144]
R2 MASPINT;MASPINT; C:\WINDOWS\system32\drivers\MASPINT.sys [2000-03-29 8096]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\System32\DRIVERS\AN983.sys [2002-08-28 36224]
R3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\System32\DRIVERS\hphid411.sys [2002-11-22 50896]
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\System32\DRIVERS\hphipr11.sys [2002-11-22 16112]
R3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11); C:\WINDOWS\System32\Drivers\hphs2k11.sys [2002-11-22 50276]
R3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2002-11-22 18928]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2002-07-29 23808]
R3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2003-05-26 166912]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; \??\C:\WINDOWS\System32\Drivers\SYMREDRV.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-03-14 112288]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-03-14 78496]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-17 391424]
S3 catchme;catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys []
S3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2005-03-07 14408]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-03-14 90395]
S3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-07 624369]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 PCDRDRV;Pcdr Helper Driver; \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver; C:\WINDOWS\system32\DRIVERS\wg111v3.sys [2007-12-28 287232]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2003-02-26 260736]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SYMDNS;SYMDNS; \??\C:\WINDOWS\System32\Drivers\SYMDNS.SYS []
S3 SYMFW;SYMFW; \??\C:\WINDOWS\System32\Drivers\SYMFW.SYS []
S3 SYMIDS;SYMIDS; \??\C:\WINDOWS\System32\Drivers\SYMIDS.SYS []
S3 SYMIDSCO;SYMIDSCO; \??\C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS []
S3 SYMNDIS;SYMNDIS; \??\C:\WINDOWS\System32\Drivers\SYMNDIS.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2004-08-03 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2010-02-15 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-02-15 285392]
R2 ccEvtMgr;Symantec Event Manager; c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2002-11-14 317128]
R2 ccPxySvc;Symantec Proxy Service; c:\Program Files\Norton Personal Firewall\ccPxySvc.exe [2003-03-03 34040]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up; C:\Program Files\Hard Disk Tune-Up\HDTuneUpSrv.exe [2009-03-25 441344]
R2 NISUM;Norton Personal Firewall Accounts Manager; c:\Program Files\Norton Personal Firewall\NISUM.EXE [2003-03-03 140536]
R2 omniserv;Softex OmniPass Service; C:\Program Files\Softex\OmniPass\Omniserv.exe [2003-02-21 68704]
R2 SymWSC;SymWMI Service; C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [2004-11-02 316544]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
S2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-03-03 65536]
S3 ccPwdSvc;Symantec Password Validation Service; c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2003-12-02 99352]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 getPlusHelper;getPlus(R) Helper; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-06-24 331776]
S3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\System32\HPHipm11.exe [2002-11-22 77824]

-----------------EOF-----------------
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby barryndiane » March 7th, 2010, 3:10 pm

Hello. I was just messing around on the computer to see how it was working. It is moving much faster. I went to google to see how the links worked. The first one went straight to the correct site. I tried again on another link and it went to "querytoday" in the url and then to some other site. But then a screen popped up saying my computer was affected with a worm warning warning. I know it was the site it went to, but I wanted to tell you incase I just put something else on this thing.

I also wanted to ask about weatherbug. We use it frequently and have it on our laptop also. Is it something that creates problems? Do I need to uninstall it on our laptop also? Thank you.
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby Cypher » March 7th, 2010, 4:02 pm

Hi Diane.
I tried again on another link and it went to "querytoday" in the url and then to some other site. But then a screen popped up saying my computer was affected with a worm warning warning.

I wasn't expecting to hear that.
I also wanted to ask about weatherbug.

WeatherBug is a system tray icon that offers weather information and includes built-in ads. WeatherBug is controlled by AWS Convergence Technologies (weatherbugmedia.com). There is some controversy over whether WeatherBug should be targeted by anti-parasite software. AWS strongly deny their software is ‘spyware’, and by the definition used here, it is not, as it does not leak information back to its controlling servers. However, WeatherBug has in the past been silently installed by the FavoriteMan parasite and Freeze.com screensavers, and more recently has been bundled by software such as AIM and Blubster. This makes it ‘unsolicited’, and since it is installed to raise money for its creators through the built-in ads it is certainly ‘commercial’. So it does meet the definition for ‘parasite’: unsolicited commercial software. It is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately. WeatherBug bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer.

I recommend that you choose one of these alternatives:
Weather Pulse
Weather Watcher
or
Get mozilla Firefox and then get FORECASTFOX!!!
or check the weather at these websites:
Weather Street: US Weather
Intellicast
To uninstall WeatherBug:
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight WeatherBug, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.



c:\program files\WildTangent <<< Delete this folder.

Next.

Fix HijackThis entries

Run HijackThis

  • If you are on the Main Menu page... Click "Do a system scan only"
  • If you are on the "scan & fix stuff" page... Press the Scan...button.
  • When the scan finishes...Place a check mark next to the following entries (if they are still present)
  • Note: Only check those items listed below.
    O15 - Trusted Zone: http://nwpublicsafetysupply.3dcartstores.com
    O15 - Trusted Zone: http://www.craigslist.org
    O15 - Trusted Zone: http://www.ebay.com
    O15 - Trusted Zone: http://www.youtube.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe

  • After checking these items... CLOSE ALL open windows except HijackThis.
  • Click the Fix Checked ...button...to remove the entries you checked.
  • Choose YES...when prompted to fix the selected items.
  • Once it has fixed them, close HijackThis and reboot your computer normally.

Next,

Please Delete the copy of combofix you have on your desktop and download a fresh copy from Here.

Then Disable AVG9 as instructed previously Double click combofix.exe and follow the prompts for running it.


Next.


Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform Quick Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt



Logs/Information to Post in your Next Reply

  • ComboFix log.
  • Malwarebytes log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirected in search engine

Unread postby barryndiane » March 7th, 2010, 10:08 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3833
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/7/2010 7:56:43 PM
mbam-log-2010-03-07 (19-56-43).txt

Scan type: Quick Scan
Objects scanned: 132653
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 10-03-07.02 - Owner 03/07/2010 19:31:37.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.607.333 [GMT -6:00]
Running from: C:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Personal Firewall *disabled* {E641AC2D-955F-4A05-ABE7-F9C534ABDB46}
.

((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-08 01:21 . 2010-03-08 01:21 4122023 ----a-r- C:\ComboFix.exe
2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-07 18:24 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-07 18:24 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 18:23 . 2010-03-07 18:23 5115832 ----a-w- C:\mbam-setup.exe
2010-03-06 21:08 . 2010-03-06 21:08 -------- d-----w- C:\tdsskiller
2010-03-06 21:07 . 2010-03-06 21:07 154657 ----a-w- C:\tdsskiller.zip
2010-03-06 19:41 . 2010-03-06 19:43 -------- d-----w- c:\program files\ERUNT
2010-03-05 20:09 . 2010-03-05 20:10 1137360 ----a-w- C:\fsbl.exe
2010-03-02 21:38 . 2010-03-02 21:40 -------- d-----w- C:\rsit
2010-02-24 21:47 . 2010-02-24 21:47 -------- d-----w- c:\program files\Trend Micro
2010-02-23 22:48 . 2010-02-23 22:48 44784 ----a-w- c:\documents and settings\barryndiane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 22:44 . 2010-02-23 22:44 -------- d-sh--w- c:\documents and settings\barryndiane\IECompatCache
2010-02-23 22:43 . 2010-02-23 22:43 -------- d-sh--w- c:\documents and settings\barryndiane\PrivacIE
2010-02-15 22:46 . 2003-11-24 21:20 0 ---ha-w- c:\documents and settings\Guest\hpothb07.dat
2010-02-15 19:31 . 2009-11-25 19:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-02-15 19:07 . 2010-02-15 19:11 -------- d-----w- C:\$AVG
2010-02-15 19:06 . 2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-15 19:06 . 2010-02-15 19:06 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-15 19:06 . 2010-02-15 19:06 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-15 19:06 . 2010-02-15 19:06 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-15 19:06 . 2010-03-08 00:23 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-15 19:06 . 2010-02-15 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\program files\AVG
2010-02-15 19:05 . 2010-02-15 19:05 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-14 02:40 . 2010-02-15 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-14 02:40 . 2010-02-14 02:40 -------- d-----w- c:\program files\Hard Disk Tune-Up
2010-02-14 00:44 . 2010-02-14 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\Sammsoft
2010-02-14 00:44 . 2010-02-14 00:45 -------- d-----w- c:\program files\MemTurbo 4
2010-02-14 00:44 . 2010-02-14 01:46 -------- d-----w- c:\program files\Advanced Registry Optimizer
2010-02-13 23:57 . 2010-02-13 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-13 01:41 . 2010-02-13 01:41 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 17:52 . 2003-04-10 10:53 -------- d-----w- c:\program files\WildTangent
2010-02-23 23:33 . 2003-11-25 00:14 984 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\mmap.bat
2010-02-23 23:33 . 2003-11-25 00:14 413696 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motkt.dll
2010-02-23 23:33 . 2003-11-25 00:14 311296 -c--a-w- c:\documents and settings\Owner\Application Data\Motive\Acme\plugin\maps\resources\deusr\bin\motivede.dll
2010-02-23 22:19 . 2009-11-19 02:27 -------- d-----w- c:\program files\McAfee Security Scan
2010-02-15 18:23 . 2003-08-25 15:01 44784 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-15 18:23 . 2003-04-10 10:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-14 00:01 . 2003-04-10 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-08 18:08 . 2009-11-30 14:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-16 18:19 . 2009-12-16 18:19 21035 ----a-w- c:\windows\system32\drivers\AegisP.sys
2005-07-09 22:22 . 2005-07-09 22:22 774144 -c--a-w- c:\program files\RngInterstitial.dll
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\{A217E0A5-7FF5-46B6-914D-92B83D14BDDA}.dat
2005-01-08 09:00 . 2005-01-08 09:00 56 -csh--r- c:\windows\system32\C70B12D71A.sys
2005-01-08 09:00 . 2005-01-08 09:00 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
2003-09-08 13:47 . 2003-09-08 13:47 32 -csha-w- c:\windows\system32\{CD0490BD-D74F-4446-82D9-0E27308FDBD8}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TeamOnPwpUpdater-TMPwpCli"="c:\program files\TMobile\PwpUpdtr.exe" [2003-10-06 81920]
"PromptCast"="c:\program files\PromptCast\PromptCast.exe" [2004-05-04 221184]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Drempels Desktop.lnk - c:\windows\drempels.exe [2001-4-6 196608]
MemTurbo.lnk - c:\program files\MemTurbo 4\MemTurbo.exe [2010-2-13 3121760]
PowerReg SchedulerV2.exe [2003-8-27 256000]
spamsubtract.lnk - c:\program files\interMute\SpamSubtract\SpamSubtract.exe [2003-4-10 552960]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-6-20 24651]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2003-4-10 16384]
Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2003-8-23 73728]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-12-11 2322432]
QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2003-11-27 311296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-15 19:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2003-02-21 10:50 40960 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/15/2010 1:06 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/15/2010 1:06 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/15/2010 1:05 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/15/2010 1:05 PM 285392]
R2 ccPxySvc;Symantec Proxy Service;c:\program files\Norton Personal Firewall\CCPXYSVC.EXE [9/8/2003 1:49 PM 34040]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 Hard Disk Tune-Up;Hard Disk Tune-Up;c:\program files\Hard Disk Tune-Up\HDTuneUpSrv.exe [2/13/2010 8:40 PM 441344]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 3:02 PM 287232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-04-26 07:56]

2010-03-08 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 19:50]

2010-03-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-04-10 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://qus8.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
LSP: SpSubLSP.dll
Trusted Zone: aol.com\free
Trusted Zone: ebay.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {50D05FAC-D462-4795-8818-738FCF776FBC} - hxxps://myemail.t-mobile.com/html/web/c ... Client.cab
DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} - hxxp://xms.keynote.com/applications/con ... uncher.cab
DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - hxxp://www.surveys.com/promptcast/Insta ... 0SETUP.cab
DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} - hxxp://www.pulse3d.com/players/english/ ... 2AxWin.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0xF8AD9C51]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf87e3fc3
\Driver\ACPI -> ACPI.sys @ 0xf8756cb8
\Driver\atapi -> atapi.sys @ 0xf870e7b4
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf85e2af9
PacketIndicateHandler -> NDIS.sys @ 0xf85edb21
SendHandler -> NDIS.sys @ 0xf85e2938
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\Softex\OmniPass\opxpgina.dll

- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\SpSubLSP.dll
.
Completion time: 2010-03-07 19:39:25
ComboFix-quarantined-files.txt 2010-03-08 01:39
ComboFix2.txt 2010-03-06 20:22

Pre-Run: 27,168,030,720 bytes free
Post-Run: 27,151,904,768 bytes free

- - End Of File - - 1734B6591E5C62971C6E6ECCC285308F
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby Cypher » March 8th, 2010, 12:17 pm

Hi Diane.
Are your searches still being redirected?

Upload a File to Jotti

Please go to jotti.org

Copy/paste this file and path into the white box at the top:
C:\WINDOWS\system32\drivers\asc3550p.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

If you have trouble using jotti try Virustotal

Please repeat the process for the below.
c:\windows\system32\C70B12D71A.sys


Next.

Please Download SysProt Antirootkit from one of the links below.


  • Extract (unzip) its contents to your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select all items.
    See images below.

    Image
  • And check Hidden objects only at the bottom.
    Image
  • At the bottom of the window.Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.


Logs/Information to Post in your Next Reply

  • jotti or virus total results.
  • SysProt log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirected in search engine

Unread postby barryndiane » March 8th, 2010, 8:07 pm

Hello. Yes I am still being redirected. It is good for a couple of clicks and then starts going to querytoday.

I could not paste either file into either program. so I went into browse and pasted it there and then loaded like that. However the first file you gave me it says does not exist. these are the results from the 2nd one. Please let me know if I need to try another file or just continue with other instructions. Thank you.

Jotti's malware scan
Filename: C70B12D71A.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 9 Mar 2010 00:58:53 (CET) Permalink



--------------------------------------------------------------------------------
Additional info
File size: 56 bytes
Filetype: Unknown
MD5: 4bc1a23c789798554dd4afd17eb63272
SHA1: fbd56d165885744cece50027528f1d74ffd53971







Scanners
2010-03-08 Found nothing 2010-03-09 Found nothing
2010-03-09 Found nothing 2010-03-09 Found nothing
2010-03-08 Found nothing 2010-03-08 Found nothing
2010-03-08 Found nothing 2010-03-08 Found nothing
2010-03-08 Found nothing 2010-03-08 Found nothing
2010-03-08 Found nothing 2010-03-08 Found nothing
2010-03-08 Found nothing 2010-03-05 Found nothing
2010-03-08 Found nothing 2010-03-09 Found nothing
2010-03-08 Found nothing 2010-03-05 Found nothing
2010-03-08 Found nothing 2010-03-08 Found nothin
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm

Re: Redirected in search engine

Unread postby Cypher » March 9th, 2010, 7:23 am

Hi Diane.
What's causing these redirects doesn't want to be found.
Were you able to run SysProt Antirootkit? please post the log from the scan.

I would like you to do this also.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind 
    *atapi*
    *asc3550p*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Logs/Information to Post in your Next Reply

  • SysProt log.
  • SystemLook.txt log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Redirected in search engine

Unread postby barryndiane » March 9th, 2010, 9:52 am

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F4B8B000
Module End: F4BA3000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8D03000
Module End: F8D05000
Hidden: Yes

Module Name: \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys
Service Name: catchme
Module Base: F8B07000
Module End: F8B0F000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F8D61000
Module End: F8D63000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: PsGetProcessPeb
At Address: 804EA0C4
Jump To: F3806195
Module Name: _unknown_

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: BARRY.BELKIN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BARRY:10110
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\AVG\AVG9\avgemc.exe
State: LISTENING

Local Address: BARRY:1030
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: BARRY:1029
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Norton Personal Firewall\CCPXYSVC.EXE
State: LISTENING

Local Address: BARRY:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BARRY:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BARRY.BELKIN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY.BELKIN:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BARRY.BELKIN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BARRY.BELKIN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:2511
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: BARRY:2466
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: BARRY:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BARRY:1126
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:1046
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:1026
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:1025
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BARRY:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BARRY:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found








SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 07:50 on 09/03/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"
C:\cmdcons\atapi.sy_ --a--c 47242 bytes [16:55 19/08/2003] [12:00 29/08/2002] 4A425C994A72B0C6D7D19171A83EB78E
C:\I386\ATAPI.SY_ --a--c 47242 bytes [01:57 26/04/2003] [12:00 29/08/2002] 4A425C994A72B0C6D7D19171A83EB78E
C:\I386\COMPDATA\DECATAPI.HTM --a--c 881 bytes [01:57 26/04/2003] [12:00 29/08/2002] FDA00ABB8831E4903E9442E9B01843ED
C:\I386\COMPDATA\DECATAPI.TXT --a--c 449 bytes [01:57 26/04/2003] [12:00 29/08/2002] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 87040 bytes [03:19 21/08/2004] [22:59 24/10/2002] F1D915C3870E741D83B5142F3B358761
C:\WINDOWS\$NtUninstallQ331958$\atapi.sys -----c 86912 bytes [16:49 19/08/2003] [12:00 29/08/2002] 95B858761A00E1D4F81F79A0DA019ACA
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 95360 bytes [20:21 06/03/2010] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\I386\ATAPI.SY_ -----c 47242 bytes [09:33 10/04/2003] [19:00 29/08/2002] 4A425C994A72B0C6D7D19171A83EB78E
C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM -----c 881 bytes [09:33 10/04/2003] [19:00 29/08/2002] FDA00ABB8831E4903E9442E9B01843ED
C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT -----c 449 bytes [09:33 10/04/2003] [19:00 29/08/2002] F5A5EAC5B4790D90031B913DD5D559A5
C:\WINDOWS\ServicePackFiles\i386\atapi.sys -----c 95360 bytes [05:59 04/08/2004] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 95360 bytes [01:31 26/04/2003] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\drivers\atapi.sys -----c 95360 bytes [01:31 26/04/2003] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

Searching for "*asc3550p*"
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FJV52JQC\cc__WINDOWS_system32_drivers_asc3550p[1] --a--- 0 bytes [23:54 08/03/2010] [23:54 08/03/2010] D41D8CD98F00B204E9800998ECF8427E
C:\Qoobox\Quarantine\Registry_backups\Service_asc3550p.reg.dat --a--- 458 bytes [20:08 06/03/2010] [20:08 06/03/2010] 9BB227ACE7DC08DED977115596CCB090

-=End Of File=-
barryndiane
Regular Member
 
Posts: 33
Joined: February 24th, 2010, 6:04 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware