Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Web search being redirected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Web search being redirected

Unread postby sculz » May 31st, 2011, 11:02 am

Hi there, I'm Sara.
I've been having some problems when googling, whenever I click a search result I get redirected to a different page, usually another search engine or an advertising website. This doesn't happen with every link. I'm guessing the problem came bundled with some free video to gif software I downloaded. I've tried running scans with both AVG and Ad-Aware, and then doing a System Restore from before I downloaded, but nothing's helped yet. I'd greatly appreciate some help :)

DDS logs
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Sara at 22:52:01 on 2011-05-31
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2045.744 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\hasplms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGBP.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sara\Downloads\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT1269415
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
uURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
mURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
mURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WorkForce 630(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigbp.exe /fu "c:\windows\temp\E_S457.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\sara\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
Trusted Zone: googlecode.com\feedflow
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sara\appdata\roaming\mozilla\firefox\profiles\d9ymw0mw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=n ... l=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2011-4-22 27704]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-31 07:53:38 -------- d-----w- c:\program files\Lavasoft
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Ruwyu
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Muoduk
2011-05-31 03:56:29 -------- d-----w- c:\users\sara\appdata\roaming\GeoVid
2011-05-31 03:52:07 -------- d-----w- c:\program files\common files\GeoVid
2011-05-31 03:51:36 -------- d-----w- c:\users\sara\appdata\roaming\Xuvu
2011-05-28 06:15:00 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-28 06:05:10 -------- d-----w- c:\program files\2K Games
2011-05-23 14:59:31 314368 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp109.dll
2011-05-23 14:56:07 606208 ----atw- c:\windows\system32\PSR55036.DLL
2011-05-23 14:56:06 109568 ----a-w- c:\windows\system32\MadCHook.dll
2011-05-23 14:56:03 -------- d-----w- c:\program files\PharosSystems
2011-05-23 14:55:58 -------- d-----w- c:\program files\Pharos
2011-05-21 12:48:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-21 12:48:00 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-21 12:48:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-21 12:48:00 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-21 12:48:00 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-21 12:48:00 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-21 12:48:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-21 12:48:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-17 13:56:14 -------- d-----w- c:\users\sara\appdata\local\WinZip
2011-05-12 06:47:51 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 12:24:55 -------- d-----w- c:\users\sara\appdata\local\Google
2011-05-03 14:58:11 -------- d-----w- c:\users\sara\.gimp-2.6
2011-05-03 14:56:51 -------- d-----w- c:\program files\GIMP-2.0
.
==================== Find3M ====================
.
2011-05-14 10:46:12 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-05-14 10:46:11 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-05-14 10:46:11 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-04-14 13:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-04 16:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 08:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:35:36 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 22:53:30.64 ===============

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 17/01/2011 6:14:09 PM
System Uptime: 31/05/2011 10:33:47 PM (0 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2201/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 125.681 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #2
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
==== System Restore Points ===================
.
RP108: 29/04/2011 12:10:48 PM - Windows Update
RP109: 30/04/2011 11:07:54 AM - Scheduled Checkpoint
RP110: 30/04/2011 7:55:28 PM - Installed EndNote X4
RP111: 2/05/2011 11:16:11 AM - Scheduled Checkpoint
RP112: 5/05/2011 9:02:40 PM - Scheduled Checkpoint
RP113: 7/05/2011 7:54:01 PM - Installed AVG 2011
RP114: 9/05/2011 9:07:18 PM - Scheduled Checkpoint
RP115: 10/05/2011 10:57:01 AM - Scheduled Checkpoint
RP116: 12/05/2011 4:00:35 PM - Windows Update
RP117: 13/05/2011 8:42:10 AM - Scheduled Checkpoint
RP118: 15/05/2011 2:20:06 PM - Scheduled Checkpoint
RP119: 18/05/2011 5:06:10 PM - Scheduled Checkpoint
RP120: 22/05/2011 6:20:53 PM - Scheduled Checkpoint
RP121: 23/05/2011 11:54:19 AM - Scheduled Checkpoint
RP122: 24/05/2011 9:13:27 PM - Scheduled Checkpoint
RP123: 25/05/2011 4:33:03 PM - Scheduled Checkpoint
RP124: 26/05/2011 12:24:52 PM - Scheduled Checkpoint
RP126: 28/05/2011 2:04:36 PM - Installed BioShock
RP128: 28/05/2011 2:16:22 PM - Installed DirectX
RP133: 31/05/2011 10:27:05 PM - Restore Operation
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
7-Zip 9.20
ABBYY FineReader 9.0 Sprint
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color Common Settings
Adobe Default Language CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Media Player
Adobe PDF Library Files CS4
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader X (10.0.1)
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Age of Mythology
Age of Mythology - The Titans Expansion
Apple Application Support
Apple Software Update
Ask.com Search Assistant 1.0.2
µTorrent
AVG 2011
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot A3100 IS and PowerShot A3000 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC 8
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Celtx (2.9)
Compatibility Pack for the 2007 Office system
Conduit Engine
Cool Edit Pro 2.1
Croc
Download Energy Toolbar
EDIUS 5 Settings
EDIUS 5(SetupManager)
Empire Earth
EndNote X4
Epson Easy Photo Print 2
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser)
Epson Event Manager
Epson FAX Utility
Epson PC-FAX Driver
EPSON Scan
EPSON WorkForce 630 Series Manual
EPSON WorkForce 630 Series Network Guide
EPSON WorkForce 630 Series Printer Uninstall
EpsonNet Print
EpsonNet Setup 3.3
Free Audio CD to MP3 Converter version 1.3.8.324
Free RAR Extract Frog
Free YouTube Download version 2.10.33.324
GIMP 2.6.11
HamsterFreeVideoConverter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iriver plus 3 (remove only)
Java Auto Updater
Java(TM) 6 Update 23
Majesty
Messenger Plus AU Toolbar
Messenger Plus! 5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Movie Converter (remove only)
Mozilla Firefox 4.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
NVIDIA Drivers
NVIDIA nView Desktop Manager
Pharaoh
Pharos
Populous: The Beginning
QuickTime
ResearchSoft Direct Export Helper
Roll
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Spesoft Free CD Ripper Version 3.9
Starcraft
SyncToy 2.1 (x86)
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.1.8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinZip 15.0
.
==== Event Viewer Messages From Past Week ========
.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 11:54:12 AM, Error: EventLog [6008] - The previous system shutdown at 11:52:42 AM on 31/05/2011 was unexpected.
31/05/2011 10:41:54 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
31/05/2011 1:57:35 PM, Error: EventLog [6008] - The previous system shutdown at 12:15:56 PM on 31/05/2011 was unexpected.
27/05/2011 9:23:03 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B5D46B3. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
27/05/2011 12:38:43 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{15CA6991-B7A6-454B-AE30-830582C86B75} because another computer on the network has the same name. The server could not start.
27/05/2011 12:38:43 PM, Error: netbt [4321] - The name "SARA-PC :20" could not be registered on the interface with IP address 134.7.208.17. The computer with the IP address 134.7.171.34 did not allow the name to be claimed by this computer.
27/05/2011 12:38:43 PM, Error: netbt [4321] - The name "SARA-PC :0" could not be registered on the interface with IP address 134.7.208.17. The computer with the IP address 134.7.171.34 did not allow the name to be claimed by this computer.
27/05/2011 12:26:39 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B5D46B3 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
26/05/2011 11:43:23 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
25/05/2011 7:13:20 AM, Error: PlugPlayManager [12] - The device 'Printer Port Logical Interface' (LPTENUM\MicrosoftRawPort\5&26cd1e8d&0&LPT1) disappeared from the system without first being prepared for removal.
25/05/2011 7:13:20 AM, Error: PlugPlayManager [12] - The device 'ECP Printer Port (LPT1)' (ACPI\PNP0401\4&d381b3d&0) disappeared from the system without first being prepared for removal.
25/05/2011 7:13:02 AM, Error: PlugPlayManager [12] - The device 'Docking Station' (ACPI\DockDevice\_SB.PCI0.PCIE.GDCK) disappeared from the system without first being prepared for removal.
25/05/2011 11:23:31 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
24/05/2011 8:52:12 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer TEST that believes that it is the master browser for the domain on transport NetBT_Tcpip_{15CA6991-B7A6-454B-AE30-830582C86B75}. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================
sculz
Active Member
 
Posts: 5
Joined: May 31st, 2011, 9:59 am
Advertisement
Register to Remove

Re: Web search being redirected

Unread postby Carolyn » June 2nd, 2011, 7:36 am

I am reviewing your logs and will post back shortly.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Web search being redirected

Unread postby Carolyn » June 2nd, 2011, 7:46 am

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems.

Please do not run any other tool until instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

=============================

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

=============================

Create a System Restore Point
  1. Right-click on Computer ... select Properties.
  2. In the left pane under Tasks ... click System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  3. Select System Protection ...then choose Create.
  4. In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  5. Click OK ...then close the System Restore dialog.

=============================

With reference to Malware Removal P2P Programs Policy, please uninstall the following programs before we continue:

  1. Click on Start > Control Panel and double click on Programs and Features.
  2. Locate µTorrent and click on the Uninstall button to uninstall it.
  3. Repeat for any other P2P programs that may be installed.
  4. Close Control Panel when done.

=============================

Download and Run a Diagnostic Tool (MGADiag.exe) from here and save this to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
* Right-click on MGADiag.exe and select "Run as administrator" to run the program.
* When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
* Please post the results in your next reply.

=============================

Download CKScanner from here
Important - Save it to your desktop.
Right-click CKScanner.exe, select "Run as administrator" then click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=============================

Disable AVG 2011

  • Please open the AVG 2011 Control Center, by right clicking on the AVG icon on task bar.
  • Click on Open AVG User Interface.
  • On the Menu Bar, click on Tools.
  • Click Advanced Settings.
  • In the new screen which opens, scroll down to Temporarily disable AVG protection. Click on it to highlight it.
  • In the right hand pane, tick the box for Temporarily disable AVG protection.
  • Click Apply.
  • In the next screen which opens, select 180 minutes from the drop down menu, then click the Disable real time protection button.
  • Click OK.
  • Note: Don't forget to re-enable it after the fix.

=============================

GMER
The downloaded file will have a random name... this prevents malware from detecting and blocking it.
Please download GMER... random file name.exe by GMER. An alternate (zip file) download site.
Note: Do not run any programs while Gmer is running.
**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
    If using Vista or Windows 7, you must right click random named.exe and choose "Run As Administrator".
  2. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO <--- Important!
  3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (see image below)
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <-- don't miss this one

    Image
    Click on image to enlarge


  4. If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
  5. Click the Scan button.
  6. Once the scan has finished... click Save. The Save... window will open.
  7. Save the scan results as gmer.txt, save it to your Desktop.
  8. Double click on the desktop "gmer.txt" file, to open in Notepad.
  9. Copy and paste the contents of the file gmer.txt in your next reply.

=============================

Please include the following logs in your next reply (post all logs as text, no attachments please):
  • The MGADiag report
  • The CKScanner log
  • The gmer.txt log
  • A new DDS.txt log
  • A new Attach.txt log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Web search being redirected

Unread postby sculz » June 3rd, 2011, 2:45 am

Hey Caroline, thanks for helping, no problems running programs.

The MGADiag report
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-VRCTY-3V3RH-WRMG7
Windows Product Key Hash: l2HYuM058SkcIU57PqWaCOL7rEU=
Windows Product ID: 89576-OEM-7332141-00054
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6002.2.00010100.2.0.006
ID: {C405FA72-AFD6-4ABD-9E5E-7B6DA1C1A57B}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista (TM) Business
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.101014-0432
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{C405FA72-AFD6-4ABD-9E5E-7B6DA1C1A57B}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010100.2.0.006</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WRMG7</PKey><PID>89576-OEM-7332141-00054</PID><PIDType>2</PIDType><SID>S-1-5-21-4205636344-3464498684-131168692</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude D630 </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>A17</Version><SMBIOSVersion major="2" minor="4"/><Date>20100104000000.000000+000</Date></BIOS><HWID>3D333507010000FA</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>W. Australia Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>M08 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.0.6002.18005
Name: Windows(TM) Vista, Business edition
Description: Windows Operating System - Vista, OEM_SLP channel
Activation ID: fd3bcb98-5c55-4b2d-ae32-a4515e3c17a3
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 89576-00146-321-400054-02-3081-6001.0000-0172011
Installation ID: 019876074416061295339201582826693353007172575645497873
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43473
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43474
Use License URL: http://go.microsoft.com/fwlink/?LinkID=43476
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=43475
Partial Product Key: WRMG7
License Status: Licensed

Windows Activation Technologies-->
N/A

HWID Data-->
HWID Hash Current: NgAAAAEABAABAAEAAQABAAAAAwABAAEAJJTY6WeAiHo8DPyQRoMGE4wS8vSCA0jQiMysViqF

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL M08
FACP DELL M08
HPET DELL M08
MCFG DELL M08
ASF! DELL M08
TCPA
SLIC DELL M08
SSDT PmRef CpuPm

The CKScanner log
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs3\plug-ins\en_us\vstplugins\decrackler6.dll
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\users\sara\music\media sounds\weapons & explosions\whip crack 04.pk
scanner sequence 3.EM.11
----- EOF -----


The gmer.txt log
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-03 14:37:53
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 Hitachi_HTS545050B9A300 rev.PB4OC64G
Running: qtn91giy.exe; Driver: C:\Users\Sara\AppData\Local\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9E6597A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9E659848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9E6598E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9E659980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EC1B74 4 Bytes [A0, 97, 65, 9E]
.text ntkrnlpa.exe!KeSetEvent + 621 81EC1DA4 8 Bytes [48, 98, 65, 9E, E4, 98, 65, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 81EC1E04 4 Bytes [80, 99, 65, 9E]
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9E65E400, 0x6E1B2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9E6E8220] C:\Windows\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9E6E8220]
.protectÿÿÿÿhardlockunknown last code section [0x9E6E8000, 0x50EA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9E6E8000, 0x50EA, 0xE0000020]
? C:\Windows\TEMP\mc2EC03.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[3432] ntdll.dll!NtProtectVirtualMemory 77504B84 5 Bytes JMP 008A000A
.text C:\Windows\Explorer.EXE[3432] ntdll.dll!NtWriteVirtualMemory 775054C4 5 Bytes JMP 0093000A
.text C:\Windows\Explorer.EXE[3432] ntdll.dll!KiUserExceptionDispatcher 77505BF8 5 Bytes JMP 0085000A
.text C:\Windows\system32\svchost.exe[5688] ntdll.dll!NtProtectVirtualMemory 77504B84 5 Bytes JMP 008A000A
.text C:\Windows\system32\svchost.exe[5688] ntdll.dll!NtWriteVirtualMemory 775054C4 5 Bytes JMP 008B000A
.text C:\Windows\system32\svchost.exe[5688] ntdll.dll!KiUserExceptionDispatcher 77505BF8 5 Bytes JMP 0080000A
.text C:\Windows\system32\svchost.exe[5688] ole32.dll!CoCreateInstance 76B69F3E 5 Bytes JMP 00AC000A
.text C:\Windows\system32\svchost.exe[5688] USER32.dll!WindowFromPoint 7546884F 5 Bytes JMP 00BE000A
.text C:\Windows\system32\svchost.exe[5688] USER32.dll!GetForegroundWindow 754732C4 5 Bytes JMP 00BF000A
.text C:\Windows\system32\svchost.exe[5688] USER32.dll!GetCursorPos 75480B88 5 Bytes JMP 00BD000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----


A new DDS.txt log
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Sara at 14:43:04 on 2011-06-03
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2045.485 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\hasplms.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGBP.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\avgcfgex.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sara\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT1269415
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
uURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
mURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
mURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WorkForce 630(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigbp.exe /fu "c:\windows\temp\E_S457.tmp" /EF "HKCU"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\sara\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
Trusted Zone: googlecode.com\feedflow
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sara\appdata\roaming\mozilla\firefox\profiles\d9ymw0mw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=n ... l=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2011-4-22 27704]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-03 02:58:44 -------- d-----w- C:\MGADiagToolOutput
2011-05-31 07:53:38 -------- d-----w- c:\program files\Lavasoft
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Ruwyu
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Muoduk
2011-05-31 03:56:29 -------- d-----w- c:\users\sara\appdata\roaming\GeoVid
2011-05-31 03:52:07 -------- d-----w- c:\program files\common files\GeoVid
2011-05-31 03:51:36 -------- d-----w- c:\users\sara\appdata\roaming\Xuvu
2011-05-28 06:15:00 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-28 06:05:10 -------- d-----w- c:\program files\2K Games
2011-05-23 14:59:31 314368 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp109.dll
2011-05-23 14:56:07 606208 ----atw- c:\windows\system32\PSR55036.DLL
2011-05-23 14:56:06 109568 ----a-w- c:\windows\system32\MadCHook.dll
2011-05-23 14:56:03 -------- d-----w- c:\program files\PharosSystems
2011-05-23 14:55:58 -------- d-----w- c:\program files\Pharos
2011-05-21 12:48:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-21 12:48:00 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-21 12:48:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-21 12:48:00 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-21 12:48:00 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-21 12:48:00 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-21 12:48:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-21 12:48:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-17 13:56:14 -------- d-----w- c:\users\sara\appdata\local\WinZip
2011-05-12 06:47:51 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 12:24:55 -------- d-----w- c:\users\sara\appdata\local\Google
.
==================== Find3M ====================
.
2011-05-14 10:46:12 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-05-14 10:46:11 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-05-14 10:46:11 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-04-14 13:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-04 16:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 08:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 14:43:56.47 ===============


A new Attach.txt log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 17/01/2011 6:14:09 PM
System Uptime: 3/06/2011 12:47:02 PM (2 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2201/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 119.6 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #2
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
==== System Restore Points ===================
.
RP112: 5/05/2011 9:02:40 PM - Scheduled Checkpoint
RP113: 7/05/2011 7:54:01 PM - Installed AVG 2011
RP114: 9/05/2011 9:07:18 PM - Scheduled Checkpoint
RP115: 10/05/2011 10:57:01 AM - Scheduled Checkpoint
RP116: 12/05/2011 4:00:35 PM - Windows Update
RP117: 13/05/2011 8:42:10 AM - Scheduled Checkpoint
RP118: 15/05/2011 2:20:06 PM - Scheduled Checkpoint
RP119: 18/05/2011 5:06:10 PM - Scheduled Checkpoint
RP120: 22/05/2011 6:20:53 PM - Scheduled Checkpoint
RP121: 23/05/2011 11:54:19 AM - Scheduled Checkpoint
RP122: 24/05/2011 9:13:27 PM - Scheduled Checkpoint
RP123: 25/05/2011 4:33:03 PM - Scheduled Checkpoint
RP124: 26/05/2011 12:24:52 PM - Scheduled Checkpoint
RP126: 28/05/2011 2:04:36 PM - Installed BioShock
RP128: 28/05/2011 2:16:22 PM - Installed DirectX
RP133: 31/05/2011 10:27:05 PM - Restore Operation
RP134: 3/06/2011 10:49:47 AM - before malware
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
7-Zip 9.20
ABBYY FineReader 9.0 Sprint
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color Common Settings
Adobe Default Language CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Media Player
Adobe PDF Library Files CS4
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader X (10.0.1)
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Age of Mythology
Age of Mythology - The Titans Expansion
Apple Application Support
Apple Software Update
Ask.com Search Assistant 1.0.2
AVG 2011
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot A3100 IS and PowerShot A3000 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC 8
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Celtx (2.9)
Compatibility Pack for the 2007 Office system
Conduit Engine
Cool Edit Pro 2.1
Croc
Download Energy Toolbar
EDIUS 5 Settings
EDIUS 5(SetupManager)
Empire Earth
EndNote X4
Epson Easy Photo Print 2
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser)
Epson Event Manager
Epson FAX Utility
Epson PC-FAX Driver
EPSON Scan
EPSON WorkForce 630 Series Manual
EPSON WorkForce 630 Series Network Guide
EPSON WorkForce 630 Series Printer Uninstall
EpsonNet Print
EpsonNet Setup 3.3
Free Audio CD to MP3 Converter version 1.3.8.324
Free RAR Extract Frog
Free YouTube Download version 2.10.33.324
GIMP 2.6.11
HamsterFreeVideoConverter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iriver plus 3 (remove only)
Java Auto Updater
Java(TM) 6 Update 23
Majesty
Messenger Plus AU Toolbar
Messenger Plus! 5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Movie Converter (remove only)
Mozilla Firefox 4.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
NVIDIA Drivers
NVIDIA nView Desktop Manager
Pharaoh
Pharos
Populous: The Beginning
QuickTime
ResearchSoft Direct Export Helper
Roll
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Spesoft Free CD Ripper Version 3.9
Starcraft
SyncToy 2.1 (x86)
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.1.8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinZip 15.0
.
==== Event Viewer Messages From Past Week ========
.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 5:45:43 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
31/05/2011 11:54:12 AM, Error: EventLog [6008] - The previous system shutdown at 11:52:42 AM on 31/05/2011 was unexpected.
31/05/2011 10:41:54 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
31/05/2011 1:57:35 PM, Error: EventLog [6008] - The previous system shutdown at 12:15:56 PM on 31/05/2011 was unexpected.
3/06/2011 11:02:33 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/06/2011 1:32:00 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
27/05/2011 9:23:03 PM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 001F3B5D46B3. The following error occurred: The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
27/05/2011 12:38:43 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{15CA6991-B7A6-454B-AE30-830582C86B75} because another computer on the network has the same name. The server could not start.
27/05/2011 12:38:43 PM, Error: netbt [4321] - The name "SARA-PC :20" could not be registered on the interface with IP address 134.7.208.17. The computer with the IP address 134.7.171.34 did not allow the name to be claimed by this computer.
27/05/2011 12:38:43 PM, Error: netbt [4321] - The name "SARA-PC :0" could not be registered on the interface with IP address 134.7.208.17. The computer with the IP address 134.7.171.34 did not allow the name to be claimed by this computer.
27/05/2011 12:26:39 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 001F3B5D46B3 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Secondary Logon service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================
sculz
Active Member
 
Posts: 5
Joined: May 31st, 2011, 9:59 am

Re: Web search being redirected

Unread postby Carolyn » June 4th, 2011, 8:16 am

Hello Sara,

Remove outdated Java
Older versions of Java can be exploited. You can install the current version after the fix.
  • Go to start > control panel > programs and features.
  • Right click on Java(TM) 6 Update 23
  • Click Uninstall & then follow the prompts to remove it.

============================

Backup MBR
To be safe, let's create a backup of your PC's Master Boot Record.

  1. Please download MBRBackup - © Mischel Internet Security Ltd and save it to your Desktop.
  2. Double-click MBRBackup.exe to launch the program.
  3. Click SaveMBR at the top left corner... save the backup file to your desktop.
    The file will be created, with a name like: MBR_2010-11-05.bin using the date the backup was made.
  4. When finished, exit the program.
  5. I strongly advise you store a copy of the backup on an external hard drive, CD\DVD or USB flash drive, for your safety.

============================

TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click and select "Run As Administrator".
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Web search being redirected

Unread postby sculz » June 4th, 2011, 9:14 am

Everything ran okay, and my internet seems to be normal now. :D
Here's the log:

2011/06/04 21:00:42.0971 0504 TDSS rootkit removing tool 2.5.3.0 May 25 2011 07:09:24
2011/06/04 21:00:43.0835 0504 ================================================================================
2011/06/04 21:00:43.0835 0504 SystemInfo:
2011/06/04 21:00:43.0835 0504
2011/06/04 21:00:43.0835 0504 OS Version: 6.0.6002 ServicePack: 2.0
2011/06/04 21:00:43.0835 0504 Product type: Workstation
2011/06/04 21:00:43.0835 0504 ComputerName: SARA-PC
2011/06/04 21:00:43.0835 0504 UserName: Sara
2011/06/04 21:00:43.0835 0504 Windows directory: C:\Windows
2011/06/04 21:00:43.0835 0504 System windows directory: C:\Windows
2011/06/04 21:00:43.0835 0504 Processor architecture: Intel x86
2011/06/04 21:00:43.0835 0504 Number of processors: 2
2011/06/04 21:00:43.0835 0504 Page size: 0x1000
2011/06/04 21:00:43.0835 0504 Boot type: Normal boot
2011/06/04 21:00:43.0835 0504 ================================================================================
2011/06/04 21:00:46.0664 0504 Initialize success
2011/06/04 21:01:09.0013 6484 ================================================================================
2011/06/04 21:01:09.0013 6484 Scan started
2011/06/04 21:01:09.0013 6484 Mode: Manual;
2011/06/04 21:01:09.0013 6484 ================================================================================
2011/06/04 21:01:11.0831 6484 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/06/04 21:01:11.0950 6484 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/06/04 21:01:12.0086 6484 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/06/04 21:01:12.0172 6484 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/06/04 21:01:12.0267 6484 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/06/04 21:01:12.0404 6484 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/06/04 21:01:12.0558 6484 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/06/04 21:01:12.0643 6484 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/06/04 21:01:12.0694 6484 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/06/04 21:01:12.0750 6484 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/06/04 21:01:12.0859 6484 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/06/04 21:01:12.0966 6484 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/06/04 21:01:13.0020 6484 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/06/04 21:01:13.0158 6484 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/06/04 21:01:13.0300 6484 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/06/04 21:01:13.0370 6484 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/06/04 21:01:13.0450 6484 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/06/04 21:01:13.0610 6484 AVGIDSDriver (97824e8c95d9717777abd46a7b632310) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/06/04 21:01:13.0753 6484 AVGIDSEH (c59c9bc3f0612bd207ccdc5d8cb9ce39) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/06/04 21:01:13.0816 6484 AVGIDSFilter (c5559de2ec66cede15a1664f6d183d8e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/06/04 21:01:13.0848 6484 AVGIDSShim (ae5e9667fa40206796d1bd5bd0427a8a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/06/04 21:01:13.0892 6484 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/06/04 21:01:13.0982 6484 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/06/04 21:01:14.0109 6484 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/06/04 21:01:14.0174 6484 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/06/04 21:01:14.0310 6484 b57nd60x (0b92ccf7bfcbe2b33838434f2f50cb61) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/06/04 21:01:14.0434 6484 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/06/04 21:01:14.0583 6484 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/06/04 21:01:14.0704 6484 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/06/04 21:01:14.0837 6484 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/06/04 21:01:14.0927 6484 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/06/04 21:01:15.0062 6484 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/06/04 21:01:15.0115 6484 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/06/04 21:01:15.0180 6484 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/06/04 21:01:15.0272 6484 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/06/04 21:01:15.0378 6484 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/06/04 21:01:15.0448 6484 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/06/04 21:01:15.0580 6484 cdrblock (15e3e2920adac7450e0c7ae5f23a5f53) C:\Windows\system32\DRIVERS\cdrblock.sys
2011/06/04 21:01:15.0704 6484 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/06/04 21:01:15.0788 6484 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/06/04 21:01:15.0905 6484 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/06/04 21:01:16.0127 6484 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/06/04 21:01:16.0175 6484 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/06/04 21:01:16.0232 6484 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/06/04 21:01:16.0250 6484 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/06/04 21:01:16.0306 6484 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/06/04 21:01:16.0475 6484 CSC (9bdb2e89be8d0ef37b1f25c3d3fc192c) C:\Windows\system32\drivers\csc.sys
2011/06/04 21:01:16.0529 6484 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/06/04 21:01:16.0947 6484 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/06/04 21:01:17.0263 6484 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/06/04 21:01:17.0328 6484 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/06/04 21:01:17.0475 6484 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/06/04 21:01:17.0548 6484 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/06/04 21:01:17.0692 6484 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/06/04 21:01:17.0851 6484 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/06/04 21:01:17.0936 6484 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/06/04 21:01:17.0990 6484 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/06/04 21:01:18.0146 6484 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/06/04 21:01:18.0186 6484 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/06/04 21:01:18.0250 6484 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/06/04 21:01:18.0433 6484 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/06/04 21:01:18.0504 6484 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/06/04 21:01:18.0657 6484 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/06/04 21:01:18.0703 6484 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/06/04 21:01:18.0859 6484 Hardlock (9de9a7a19195c57ef38b4ee25422f2d7) C:\Windows\system32\drivers\hardlock.sys
2011/06/04 21:01:19.0033 6484 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/06/04 21:01:19.0119 6484 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/06/04 21:01:19.0215 6484 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/06/04 21:01:19.0301 6484 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/06/04 21:01:19.0392 6484 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/06/04 21:01:19.0512 6484 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/06/04 21:01:19.0618 6484 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/06/04 21:01:19.0689 6484 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/06/04 21:01:19.0803 6484 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/06/04 21:01:19.0868 6484 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/06/04 21:01:19.0978 6484 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/06/04 21:01:20.0082 6484 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/06/04 21:01:20.0203 6484 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/06/04 21:01:20.0304 6484 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/06/04 21:01:20.0355 6484 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/06/04 21:01:20.0484 6484 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/06/04 21:01:20.0588 6484 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/06/04 21:01:20.0676 6484 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/06/04 21:01:20.0770 6484 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/06/04 21:01:20.0852 6484 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/06/04 21:01:20.0907 6484 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/06/04 21:01:20.0992 6484 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/06/04 21:01:21.0054 6484 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/06/04 21:01:21.0091 6484 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/06/04 21:01:21.0138 6484 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/06/04 21:01:21.0231 6484 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/06/04 21:01:21.0339 6484 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/06/04 21:01:21.0389 6484 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/06/04 21:01:21.0449 6484 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/06/04 21:01:21.0503 6484 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/06/04 21:01:21.0589 6484 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/06/04 21:01:21.0659 6484 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/06/04 21:01:21.0704 6484 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/06/04 21:01:21.0860 6484 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/06/04 21:01:21.0911 6484 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/06/04 21:01:21.0925 6484 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/06/04 21:01:21.0982 6484 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/06/04 21:01:22.0012 6484 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/06/04 21:01:22.0160 6484 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/06/04 21:01:22.0194 6484 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/06/04 21:01:22.0220 6484 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/06/04 21:01:22.0292 6484 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/06/04 21:01:22.0406 6484 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/06/04 21:01:22.0427 6484 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/06/04 21:01:22.0448 6484 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/06/04 21:01:22.0495 6484 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/06/04 21:01:22.0604 6484 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/06/04 21:01:22.0650 6484 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/06/04 21:01:22.0695 6484 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/06/04 21:01:22.0842 6484 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/06/04 21:01:22.0936 6484 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/06/04 21:01:22.0988 6484 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/06/04 21:01:23.0034 6484 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/06/04 21:01:23.0082 6484 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/06/04 21:01:23.0201 6484 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/06/04 21:01:23.0273 6484 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/06/04 21:01:23.0385 6484 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/06/04 21:01:23.0495 6484 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/06/04 21:01:23.0592 6484 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/06/04 21:01:23.0616 6484 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/06/04 21:01:23.0675 6484 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/06/04 21:01:23.0764 6484 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/06/04 21:01:23.0862 6484 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/06/04 21:01:23.0991 6484 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/06/04 21:01:24.0128 6484 NETw4v32 (6522dd40a5f67ced020bd81b856613fb) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/06/04 21:01:24.0249 6484 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/06/04 21:01:24.0363 6484 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/06/04 21:01:24.0458 6484 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/06/04 21:01:24.0529 6484 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/06/04 21:01:24.0632 6484 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/06/04 21:01:24.0679 6484 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/06/04 21:01:24.0959 6484 nvlddmkm (8fe5350fa6a9f0b6633aee811c468954) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/06/04 21:01:25.0241 6484 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/06/04 21:01:25.0287 6484 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/06/04 21:01:25.0383 6484 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/06/04 21:01:25.0538 6484 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/06/04 21:01:25.0629 6484 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
2011/06/04 21:01:25.0772 6484 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/06/04 21:01:25.0879 6484 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
2011/06/04 21:01:25.0998 6484 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/06/04 21:01:26.0042 6484 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/06/04 21:01:26.0096 6484 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/06/04 21:01:26.0213 6484 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/06/04 21:01:26.0413 6484 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/06/04 21:01:26.0455 6484 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/06/04 21:01:26.0503 6484 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/06/04 21:01:26.0673 6484 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/06/04 21:01:26.0818 6484 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/06/04 21:01:26.0876 6484 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/06/04 21:01:26.0962 6484 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/06/04 21:01:27.0100 6484 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/06/04 21:01:27.0151 6484 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/06/04 21:01:27.0169 6484 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/06/04 21:01:27.0213 6484 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/06/04 21:01:27.0280 6484 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/06/04 21:01:27.0334 6484 rdpdr (943b18305eae3935598a9b4a3d560b4c) C:\Windows\system32\DRIVERS\rdpdr.sys
2011/06/04 21:01:27.0402 6484 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/06/04 21:01:27.0474 6484 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/06/04 21:01:27.0537 6484 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/06/04 21:01:27.0630 6484 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/06/04 21:01:27.0719 6484 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/06/04 21:01:27.0767 6484 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2011/06/04 21:01:27.0881 6484 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2011/06/04 21:01:27.0954 6484 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/06/04 21:01:28.0020 6484 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/06/04 21:01:28.0100 6484 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/06/04 21:01:28.0205 6484 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/06/04 21:01:28.0255 6484 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/06/04 21:01:28.0343 6484 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/06/04 21:01:28.0428 6484 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/06/04 21:01:28.0488 6484 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/06/04 21:01:28.0555 6484 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/06/04 21:01:28.0652 6484 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/06/04 21:01:28.0745 6484 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/06/04 21:01:28.0828 6484 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/06/04 21:01:28.0908 6484 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/06/04 21:01:28.0965 6484 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/06/04 21:01:29.0014 6484 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/06/04 21:01:29.0125 6484 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/06/04 21:01:29.0195 6484 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/06/04 21:01:29.0280 6484 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/06/04 21:01:29.0380 6484 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/06/04 21:01:29.0466 6484 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/06/04 21:01:29.0567 6484 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/06/04 21:01:29.0655 6484 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/06/04 21:01:29.0732 6484 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/06/04 21:01:29.0789 6484 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/06/04 21:01:29.0925 6484 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/06/04 21:01:30.0025 6484 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/06/04 21:01:30.0138 6484 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys
2011/06/04 21:01:30.0190 6484 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/06/04 21:01:30.0264 6484 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/06/04 21:01:30.0380 6484 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/06/04 21:01:30.0433 6484 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/06/04 21:01:30.0475 6484 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/06/04 21:01:30.0592 6484 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/06/04 21:01:30.0630 6484 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/06/04 21:01:30.0709 6484 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/06/04 21:01:30.0828 6484 USBCCID (32c068eaf37c92d7194eee1faa1e7853) C:\Windows\system32\DRIVERS\usbccid.sys
2011/06/04 21:01:30.0902 6484 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/06/04 21:01:30.0983 6484 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/06/04 21:01:31.0108 6484 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/06/04 21:01:31.0187 6484 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/06/04 21:01:31.0257 6484 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2011/06/04 21:01:31.0366 6484 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/06/04 21:01:31.0436 6484 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/06/04 21:01:31.0525 6484 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/06/04 21:01:31.0627 6484 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/06/04 21:01:31.0669 6484 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/06/04 21:01:31.0717 6484 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/06/04 21:01:31.0880 6484 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/06/04 21:01:31.0935 6484 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/06/04 21:01:32.0005 6484 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/06/04 21:01:32.0162 6484 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/06/04 21:01:32.0244 6484 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/06/04 21:01:32.0290 6484 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/06/04 21:01:32.0401 6484 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/04 21:01:32.0413 6484 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/06/04 21:01:32.0461 6484 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/06/04 21:01:32.0504 6484 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/06/04 21:01:32.0618 6484 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2011/06/04 21:01:32.0735 6484 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/06/04 21:01:32.0855 6484 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/06/04 21:01:32.0993 6484 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/06/04 21:01:33.0139 6484 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/06/04 21:01:33.0230 6484 MBR (0x1B8) (04d4350ae5fb6fc2ad3e7c26b1323c68) \Device\Harddisk0\DR0
2011/06/04 21:01:33.0235 6484 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/06/04 21:01:33.0243 6484 ================================================================================
2011/06/04 21:01:33.0243 6484 Scan finished
2011/06/04 21:01:33.0243 6484 ================================================================================
2011/06/04 21:01:33.0254 7216 Detected object count: 1
2011/06/04 21:01:33.0254 7216 Actual detected object count: 1
2011/06/04 21:01:59.0638 7216 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/06/04 21:01:59.0639 7216 \Device\Harddisk0\DR0 - ok
2011/06/04 21:01:59.0640 7216 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/06/04 21:02:07.0575 6064 Deinitialize success
sculz
Active Member
 
Posts: 5
Joined: May 31st, 2011, 9:59 am

Re: Web search being redirected

Unread postby Carolyn » June 5th, 2011, 12:24 pm

Hi Sara,

Please scan with GMER once again then post the resulting log for my review.

Next, run an online scan

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Please post the following:
  • The GMER log
  • The ESET log
  • and a fresh DDS log
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Web search being redirected

Unread postby sculz » June 8th, 2011, 5:25 am

Gmer:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-08 09:46:03
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS545050B9A300 rev.PB4OC64G
Running: qtn91giy.exe; Driver: C:\Users\Sara\AppData\Local\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9BDE27A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9BDE2848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9BDE28E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9BDE2980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EFAB74 4 Bytes [A0, 27, DE, 9B]
.text ntkrnlpa.exe!KeSetEvent + 621 81EFADA4 8 Bytes [48, 28, DE, 9B, E4, 28, DE, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 81EFAE04 4 Bytes [80, 29, DE, 9B] {SUB BYTE [ECX], 0xde; WAIT }
.text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9CA07400, 0x6E1B2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9CA91220] C:\Windows\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9CA91220]
.protectÿÿÿÿhardlockunknown last code section [0x9CA91000, 0x50EA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9CA91000, 0x50EA, 0xE0000020]
? C:\Windows\TEMP\mc27F6B.tmp The system cannot find the file specified. !
? C:\Users\Sara\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----

EST Online Scanner:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=6a3d8ff0b444fe4684cc1beeeac7f6b8
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-08 02:41:46
# local_time=2011-06-08 10:41:46 (+0800, W. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1032 16777213 100 96 0 50817172 0 0
# compatibility_mode=5892 16776574 66 95 645639 145027082 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=83090
# found=12
# cleaned=0
# scan_time=2926
C:\Users\Sara\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4IO15QOC\sw[1].htm JS/Kryptik.AP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\233D.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\8F77.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B4A.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B8E5.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B8E6.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\Update_581c.exe a variant of Win32/MessengerPlus application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\msgpl_fb88.tmp\OCSetupHlp.dll Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\msgpl_fb88.tmp\OpenCandy.dat Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\239e47d5-792979ac multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-406684f0 Java/TrojanDownloader.Agent.ME trojan (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=6a3d8ff0b444fe4684cc1beeeac7f6b8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-06-08 03:52:49
# local_time=2011-06-08 11:52:49 (+0800, W. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1032 16777213 100 96 0 50820369 0 0
# compatibility_mode=5892 16776574 66 95 648836 145030279 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=181048
# found=14
# cleaned=0
# scan_time=3991
C:\Users\Sara\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4IO15QOC\sw[1].htm JS/Kryptik.AP trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\233D.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\8F77.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B4A.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B8E5.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\B8E6.tmp a variant of Win32/Kryptik.OJI trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\Update_581c.exe a variant of Win32/MessengerPlus application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\Local\Temp\msgpl_fb88.tmp\OCSetupHlp.dll Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Sara\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-406684f0 Java/TrojanDownloader.Agent.ME trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\52665893-15c2ca8f a variant of Win32/Kryptik.OSF trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\55669b17-4f79818d Win32/TrojanDownloader.Karagany.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\37db3fe2-46a3004d Java/TrojanDownloader.Agent.ME trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2bc3143e-4353ebf2 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\2bc3143e-5c2eee67 a variant of Java/TrojanDownloader.OpenStream.NCE trojan (unable to clean) 00000000000000000000000000000000 I


DDS:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Sara at 17:22:37 on 2011-06-08
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.61.1033.18.2045.649 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\hasplms.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGBP.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgui.exe
C:\Program Files\AVG\AVG10\avgcfgex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource= ... =CT1269415
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
uURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
mURLSearchHooks: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
mURLSearchHooks: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Download Energy Toolbar: {ad708c09-d51b-45b3-9d28-4eba2681febf} - c:\program files\download_energy\tbDown.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: Messenger Plus AU Toolbar: {1e82937c-f660-4a34-b6f0-b185c8729ea5} - c:\program files\messenger_plus_au\prxtbMess.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WorkForce 630(Network)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigbp.exe /fu "c:\windows\temp\E_S457.tmp" /EF "HKCU"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_Plugin.exe -update plugin
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\sara\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
Trusted Zone: googlecode.com\feedflow
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 61.9.242.33 61.9.226.33
TCP: Interfaces\{15CA6991-B7A6-454B-AE30-830582C86B75} : DhcpNameServer = 61.9.242.33 61.9.226.33
TCP: Interfaces\{FF159AFB-1038-45F5-8AAE-A97BDECCC016} : DhcpNameServer = 61.9.242.33 61.9.226.33
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sara\appdata\roaming\mozilla\firefox\profiles\d9ymw0mw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.as ... ource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=n ... l=en-GB&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 cdrblock;cdrblock;c:\windows\system32\drivers\cdrblock.sys [2011-4-22 27704]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-08 01:48:53 -------- d-----w- c:\program files\ESET
2011-06-04 12:27:23 -------- d-----w- c:\windows\system32\appmgmt
2011-06-03 02:58:44 -------- d-----w- C:\MGADiagToolOutput
2011-05-31 07:53:38 -------- d-----w- c:\program files\Lavasoft
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Ruwyu
2011-05-31 06:31:14 -------- d-----w- c:\users\sara\appdata\roaming\Muoduk
2011-05-31 03:56:29 -------- d-----w- c:\users\sara\appdata\roaming\GeoVid
2011-05-31 03:52:07 -------- d-----w- c:\program files\common files\GeoVid
2011-05-31 03:51:36 -------- d-----w- c:\users\sara\appdata\roaming\Xuvu
2011-05-28 06:15:00 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-05-28 06:05:10 -------- d-----w- c:\program files\2K Games
2011-05-23 14:59:31 314368 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp109.dll
2011-05-23 14:56:07 606208 ----atw- c:\windows\system32\PSR55036.DLL
2011-05-23 14:56:06 109568 ----a-w- c:\windows\system32\MadCHook.dll
2011-05-23 14:56:03 -------- d-----w- c:\program files\PharosSystems
2011-05-23 14:55:58 -------- d-----w- c:\program files\Pharos
2011-05-21 12:48:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-21 12:48:00 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-21 12:48:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-21 12:48:00 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-21 12:48:00 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-21 12:48:00 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-21 12:48:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-21 12:48:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-17 13:56:14 -------- d-----w- c:\users\sara\appdata\local\WinZip
2011-05-12 06:47:51 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 12:24:55 -------- d-----w- c:\users\sara\appdata\local\Google
.
==================== Find3M ====================
.
2011-05-14 10:46:12 21840 ----atw- c:\windows\system32\SIntfNT.dll
2011-05-14 10:46:11 17212 ----atw- c:\windows\system32\SIntf32.dll
2011-05-14 10:46:11 12067 ----atw- c:\windows\system32\SIntf16.dll
2011-04-14 13:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-04 16:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 08:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 17:23:49.02 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 17/01/2011 6:14:09 PM
System Uptime: 8/06/2011 1:09:28 PM (4 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | Microprocessor | 2201/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 117.315 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Microsoft Tun Miniport Adapter #2
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
==== System Restore Points ===================
.
RP121: 23/05/2011 11:54:19 AM - Scheduled Checkpoint
RP122: 24/05/2011 9:13:27 PM - Scheduled Checkpoint
RP123: 25/05/2011 4:33:03 PM - Scheduled Checkpoint
RP124: 26/05/2011 12:24:52 PM - Scheduled Checkpoint
RP126: 28/05/2011 2:04:36 PM - Installed BioShock
RP128: 28/05/2011 2:16:22 PM - Installed DirectX
RP133: 31/05/2011 10:27:05 PM - Restore Operation
RP134: 3/06/2011 10:49:47 AM - before malware
RP137: 5/06/2011 8:36:12 PM - Scheduled Checkpoint
RP138: 7/06/2011 10:38:08 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
7-Zip 9.20
ABBYY FineReader 9.0 Sprint
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color Common Settings
Adobe Default Language CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe Media Player
Adobe PDF Library Files CS4
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader X (10.0.1)
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Age of Mythology
Age of Mythology - The Titans Expansion
Apple Application Support
Apple Software Update
Ask.com Search Assistant 1.0.2
AVG 2011
Canon DIGITAL CAMERA Solution Disk Software Guide
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot A3100 IS and PowerShot A3000 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC 8
Canon Utilities Movie Uploader for YouTube
Canon Utilities MyCamera
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Celtx (2.9)
Compatibility Pack for the 2007 Office system
Conduit Engine
Cool Edit Pro 2.1
Croc
Download Energy Toolbar
EDIUS 5 Settings
EDIUS 5(SetupManager)
Empire Earth
EndNote X4
Epson Easy Photo Print 2
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser)
Epson Event Manager
Epson FAX Utility
Epson PC-FAX Driver
EPSON Scan
EPSON WorkForce 630 Series Manual
EPSON WorkForce 630 Series Network Guide
EPSON WorkForce 630 Series Printer Uninstall
EpsonNet Print
EpsonNet Setup 3.3
ESET Online Scanner v3
Free Audio CD to MP3 Converter version 1.3.8.324
Free RAR Extract Frog
Free YouTube Download version 2.10.33.324
GIMP 2.6.11
HamsterFreeVideoConverter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iriver plus 3 (remove only)
Majesty
Messenger Plus AU Toolbar
Messenger Plus! 5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Movie Converter (remove only)
Mozilla Firefox 4.0.1 (x86 en-GB)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML4 Parser
NVIDIA Drivers
NVIDIA nView Desktop Manager
Pharaoh
Pharos
Populous: The Beginning
QuickTime
ResearchSoft Direct Export Helper
Roll
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Spesoft Free CD Ripper Version 3.9
Starcraft
SyncToy 2.1 (x86)
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.1.8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinZip 15.0
.
==== Event Viewer Messages From Past Week ========
.
8/06/2011 7:48:10 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/06/2011 8:25:40 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running.
4/06/2011 8:25:40 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
4/06/2011 8:01:10 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/06/2011 2:53:47 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avgwd service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Secondary Logon service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
2/06/2011 2:17:29 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
.
==== End Of File ===========================
sculz
Active Member
 
Posts: 5
Joined: May 31st, 2011, 9:59 am

Re: Web search being redirected

Unread postby Carolyn » June 11th, 2011, 1:36 pm

I apologize for taking so long to reply, Sara.

Please download ATF Cleaner to your desktop.

  • Right-click ATF-Cleaner.exe And select " Run as administrator " to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

========================================

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

Time for some housekeeping

Clean up with OTC

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


You can now delete any tools we used if they remain on your Desktop.


Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Clear Infected System Restore Points

    For Windows Vista and Windows 7:
    • Click start, type Disk Cleanup in the search box
    • Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
    • Select the drive where Windows is installed (if you have more than one drive) and click "OK".
    • When the scan completes, check/uncheck desired boxes.
    • Next, please click the More Options tab at the top.
    • Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
    • Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
    • The disk clean up utility will remove the selected items. When it completes, please restart the computer to properly record the changes made to the hard disk.

  • Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Malwarebytes' Anti-Malware or SuperAntiSpyware
    These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
    You can download SuperAntiSpyware from HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:
    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK


  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article How to prevent Malware by miekiemoes.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Web search being redirected

Unread postby sculz » June 13th, 2011, 8:16 am

Thanks so much for your help Caroline. I'll definitely be making a donation.
All the best :)
sculz
Active Member
 
Posts: 5
Joined: May 31st, 2011, 9:59 am

Re: Web search being redirected

Unread postby Carolyn » June 13th, 2011, 9:38 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware