Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search Redirect Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Search Redirect Malware

Unread postby rjj76 » February 27th, 2010, 7:47 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:45 on 27/02/2010 by Robert Jericho (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [04:59 04/08/2004] [04:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:37 01/02/2010] [13:17 12/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [23:36 12/02/2010] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [13:17 12/08/2004] [18:40 13/04/2008] 7A447AE8867BA50C09ABF43F4FDE88C8

-=End Of File=-
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm
Advertisement
Register to Remove

Re: Search Redirect Malware

Unread postby muppy03 » February 27th, 2010, 10:45 pm

Hi, Are you still having problems or are things running fine? Are the redirects gone? Please update me on any issues remaining.

Lets do a double check on the file Kaspersky found.


Please go to Virus Total <http://www.virustotal.com/> or Jotti
and upload C:\WINDOWS\system32\drivers\atapi.sys for scanning.

For Virus Total
1. Please copy and paste C:\WINDOWS\system32\drivers\atapi.sys in the text box next to the Browse button.
2. Click on Send File.

For Jotti
1. Please copy and paste C:\WINDOWS\system32\drivers\atapi.sys in the text box next to the Browse button.
2. Click on Submit.

Repeat for the below file/s:
C:\WINDOWS\ServicePackFiles\i386\atapi.sys

Please post back the results of the scan in your next post.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Search Redirect Malware

Unread postby rjj76 » February 28th, 2010, 11:43 am

Not having any problems with the redirect but I guess something else is going on.

atapi.sys from system32 from VirusTotal:

File atapi.sys received on 2010.02.28 15:34:28 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 28/39 (71.8%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.28 Rootkit.Win32.TDSS!IK
AhnLab-V3 5.0.0.2 2010.02.28 Win-Trojan/Patched.X
AntiVir 8.2.1.176 2010.02.26 TR/Patched.Gen
Antiy-AVL 2.0.3.7 2010.02.26 -
Authentium 5.2.0.5 2010.02.27 -
Avast 4.8.1351.0 2010.02.28 Win32:Alureon-FQ
Avast5 5.0.332.0 2010.02.28 Win32:Alureon-FQ
AVG 9.0.0.730 2010.02.28 Rootkit-Pakes.U
BitDefender 7.2 2010.02.28 Rootkit.Patched.TDSS.Gen
CAT-QuickHeal 10.00 2010.02.27 -
ClamAV 0.96.0.0-git 2010.02.28 -
Comodo 4091 2010.02.28 TrojWare.Win32.Patched.DU0
DrWeb 5.0.1.12222 2010.02.28 BackDoor.Tdss.565
eSafe 7.0.17.0 2010.02.28 -
eTrust-Vet 35.2.7331 2010.02.26 Win32/Olmarik!generic
F-Prot 4.5.1.85 2010.02.27 -
Fortinet 4.0.14.0 2010.02.28 -
GData 19 2010.02.28 Rootkit.Patched.TDSS.Gen
Ikarus T3.1.1.80.0 2010.02.28 Rootkit.Win32.TDSS
Jiangmin 13.0.900 2010.02.28 Rootkit.TDSS.ctt
K7AntiVirus 7.10.984 2010.02.26 -
Kaspersky 7.0.0.125 2010.02.28 Rootkit.Win32.TDSS.u
McAfee 5905 2010.02.27 Patched-SYSFile
McAfee+Artemis 5905 2010.02.27 Patched-SYSFile
McAfee-GW-Edition 6.8.5 2010.02.28 Trojan.Patched.Gen
Microsoft 1.5502 2010.02.28 Virus:Win32/Alureon.A
NOD32 4902 2010.02.28 Win32/Olmarik.TM
Norman 6.04.08 2010.02.28 W32/TDSS.drv.gen4.A
nProtect 2009.1.8.0 2010.02.28 Trojan/W32.Rootkit.96512
Panda 10.0.2.2 2010.02.28 -
PCTools 7.0.3.5 2010.02.28 Backdoor.Tidserv
Rising 22.36.06.04 2010.02.28 -
Sophos 4.50.0 2010.02.28 Mal/TDSSRt-A
Sunbelt 5708 2010.02.28 Trojan.Win32.Olmarik.of!damaged (V)
TheHacker 6.5.1.7.214 2010.02.28 Trojan/TDSS.u
TrendMicro 9.120.0.1004 2010.02.28 TROJ_TDSS.SME
VBA32 3.12.12.2 2010.02.26 Rootkit.Win32.TDSL
ViRobot 2010.2.27.2206 2010.02.27 -
VirusBuster 5.0.27.0 2010.02.27 Rootkit.Alureon.Gen!Pac.7
Additional information
File size: 96512 bytes
MD5...: 7a447ae8867ba50c09abf43f4fde88c8
SHA1..: bb7f02437dc7873a15dbd96386c0b1d25d22c91e
SHA256: b28ea089f1ff9d0a685e0e4e4c97d695758d528abc55a7862c09c0a3c1733f67
ssdeep: 1536:cwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uC:cQ+N74vkEZIxMohjsimBoDTRMBwFktZ+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16780
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 5.28 2930c4a1d88e25668a909e7177534477
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)



From ServicePack3

File atapi.sys received on 2010.02.28 15:40:00 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/41 (2.44%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.28 -
AhnLab-V3 5.0.0.2 2010.02.28 -
AntiVir 8.2.1.176 2010.02.26 -
Antiy-AVL 2.0.3.7 2010.02.26 -
Authentium 5.2.0.5 2010.02.27 -
Avast 4.8.1351.0 2010.02.28 -
Avast5 5.0.332.0 2010.02.28 -
AVG 9.0.0.730 2010.02.28 -
BitDefender 7.2 2010.02.28 -
CAT-QuickHeal 10.00 2010.02.27 -
ClamAV 0.96.0.0-git 2010.02.28 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.02.28 -
eSafe 7.0.17.0 2010.02.28 Win32.Rootkit
eTrust-Vet 35.2.7331 2010.02.26 -
F-Prot 4.5.1.85 2010.02.28 -
F-Secure 9.0.15370.0 2010.02.27 -
Fortinet 4.0.14.0 2010.02.28 -
GData 19 2010.02.28 -
Ikarus T3.1.1.80.0 2010.02.28 -
Jiangmin 13.0.900 2010.02.28 -
K7AntiVirus 7.10.984 2010.02.26 -
Kaspersky 7.0.0.125 2010.02.28 -
McAfee 5905 2010.02.27 -
McAfee+Artemis 5905 2010.02.27 -
McAfee-GW-Edition 6.8.5 2010.02.28 -
Microsoft 1.5502 2010.02.28 -
NOD32 4902 2010.02.28 -
Norman 6.04.08 2010.02.28 -
nProtect 2009.1.8.0 2010.02.28 -
PCTools 7.0.3.5 2010.02.28 -
Prevx 3.0 2010.02.28 -
Rising 22.36.06.04 2010.02.28 -
Sophos 4.50.0 2010.02.28 -
Sunbelt 5708 2010.02.28 -
Symantec 20091.2.0.41 2010.02.28 -
TheHacker 6.5.1.7.214 2010.02.28 -
TrendMicro 9.120.0.1004 2010.02.28 -
VBA32 3.12.12.2 2010.02.26 -
ViRobot 2010.2.27.2206 2010.02.27 -
VirusBuster 5.0.27.0 2010.02.28 -
Additional information
File size: 96512 bytes
MD5...: 9f3a2f5aa6875c72bf062c712cfa2674
SHA1..: a719156e8ad67456556a02c34e762944234e7a44
SHA256: b4df1d2c56a593c6b54de57395e3b51d288f547842893b32b0f59228a0cf70b9
ssdeep: 1536:MwXpkfV74F1D7yNEZIHRRJMohmus27G1j/XBoDQi7oaRMJfYHFktprll1Kb
DD0uu:MQ+N74vkEZIxMohjsimBoDTRMBwFktZu
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x159f7
timedatestamp.....: 0x4802539d (Sun Apr 13 18:40:29 2008)
machinetype.......: 0x14c (I386)

( 9 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x380 0x97ba 0x9800 6.45 0d7d81391f33c6450a81be1e3ac8c7b7
NONPAGE 0x9b80 0x18e8 0x1900 6.48 c74a833abd81cc5d037de168e055ad29
.rdata 0xb480 0xa64 0xa80 4.31 8523651899e28819a14bf9415af25708
.data 0xbf00 0xd94 0xe00 0.45 3575b51634ae7a56f55f1ee0a6213834
PAGESCAN 0xcd00 0x157f 0x1580 6.20 dc4c309c4db9576daa752fdd125fccf9
PAGE 0xe280 0x61da 0x6200 6.46 40b83d4d552384e58a03517a98eb4863
INIT 0x14480 0x22be 0x2300 6.47 906462abc478368424ea462d5868d2e3
.rsrc 0x16780 0x3e0 0x400 3.36 8fd2d82e745b289c28bc056d3a0d62ab
.reloc 0x16b80 0xd20 0xd80 6.39 ce2b0898cc0e40b618e5df9099f6be45

( 3 imports )
> ntoskrnl.exe: RtlInitUnicodeString, swprintf, KeSetEvent, IoCreateSymbolicLink, IoGetConfigurationInformation, IoDeleteSymbolicLink, MmFreeMappingAddress, IoFreeErrorLogEntry, IoDisconnectInterrupt, MmUnmapIoSpace, ObReferenceObjectByPointer, IofCompleteRequest, RtlCompareUnicodeString, IofCallDriver, MmAllocateMappingAddress, IoAllocateErrorLogEntry, IoConnectInterrupt, IoDetachDevice, KeWaitForSingleObject, KeInitializeEvent, KeCancelTimer, RtlAnsiStringToUnicodeString, RtlInitAnsiString, IoBuildDeviceIoControlRequest, IoQueueWorkItem, MmMapIoSpace, IoInvalidateDeviceRelations, IoReportDetectedDevice, IoReportResourceForDetection, RtlxAnsiStringToUnicodeSize, NlsMbCodePageTag, PoRequestPowerIrp, KeInsertByKeyDeviceQueue, PoRegisterDeviceForIdleDetection, sprintf, MmMapLockedPagesSpecifyCache, ObfDereferenceObject, IoGetAttachedDeviceReference, IoInvalidateDeviceState, ZwClose, ObReferenceObjectByHandle, ZwCreateDirectoryObject, IoBuildSynchronousFsdRequest, PoStartNextPowerIrp, IoCreateDevice, RtlCopyUnicodeString, IoAllocateDriverObjectExtension, RtlQueryRegistryValues, ZwOpenKey, RtlFreeUnicodeString, IoStartTimer, KeInitializeTimer, IoInitializeTimer, KeInitializeDpc, KeInitializeSpinLock, IoInitializeIrp, ZwCreateKey, RtlAppendUnicodeStringToString, RtlIntegerToUnicodeString, ZwSetValueKey, KeInsertQueueDpc, KefAcquireSpinLockAtDpcLevel, IoStartPacket, KefReleaseSpinLockFromDpcLevel, IoBuildAsynchronousFsdRequest, IoFreeMdl, MmUnlockPages, IoWriteErrorLogEntry, KeRemoveByKeyDeviceQueue, MmMapLockedPagesWithReservedMapping, MmUnmapReservedMapping, KeSynchronizeExecution, IoStartNextPacket, KeBugCheckEx, KeRemoveDeviceQueue, KeSetTimer, _allmul, MmProbeAndLockPages, _except_handler3, PoSetPowerState, IoOpenDeviceRegistryKey, RtlWriteRegistryValue, RtlDeleteRegistryValue, _aulldiv, strstr, _strupr, KeQuerySystemTime, IoWMIRegistrationControl, KeTickCount, IoAttachDeviceToDeviceStack, IoDeleteDevice, ExAllocatePoolWithTag, IoAllocateWorkItem, IoAllocateIrp, IoAllocateMdl, MmBuildMdlForNonPagedPool, MmLockPagableDataSection, IoGetDriverObjectExtension, MmUnlockPagableImageSection, ExFreePoolWithTag, IoFreeIrp, IoFreeWorkItem, InitSafeBootMode, RtlCompareMemory, PoCallDriver, memmove, MmHighestUserAddress
> HAL.dll: KfAcquireSpinLock, READ_PORT_UCHAR, KeGetCurrentIrql, KfRaiseIrql, KfLowerIrql, HalGetInterruptVector, HalTranslateBusAddress, KeStallExecutionProcessor, KfReleaseSpinLock, READ_PORT_BUFFER_USHORT, READ_PORT_USHORT, WRITE_PORT_BUFFER_USHORT, WRITE_PORT_UCHAR
> WMILIB.SYS: WmiSystemControl, WmiCompleteRequest

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: IDE/ATAPI Port Driver
original name: atapi.sys
internal name: atapi.sys
file version.: 5.1.2600.5512 (xpsp.080413-2108)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm

Re: Search Redirect Malware

Unread postby rjj76 » February 28th, 2010, 11:47 am

That wasn't very pretty to read - here's Jotti

system32/atapi.sys

(it's ugly)

[ArcaVir]
2010-02-23 Found nothing
[F-Secure Anti-Virus]
2010-02-27 Rootkit.Win32.TDSS.u
[A-Squared]
2010-02-23 Rootkit.Win32.TDSS!IK
[G DATA]
2010-02-23 Rootkit.Patched.TDSS.Gen
[Avast! antivirus]
2010-02-23 Found nothing
[Ikarus]
2010-02-23 Rootkit.Win32.TDSS
[Grisoft AVG Anti-Virus]
2010-02-28 Rootkit-Pakes.U
[Kaspersky Anti-Virus]
2010-02-23 Rootkit.Win32.TDSS.u
[Avira AntiVir]
2010-02-23 TR/Patched.Gen
[ESET NOD32]
2010-02-23 Win32/Olmarik.TM Patched
[Softwin BitDefender]
2010-02-23 Rootkit.Patched.TDSS.Gen
[Panda Antivirus]
2010-02-22 Found nothing
[ClamAV]
2010-02-28 Found nothing
[Quick Heal]
2010-02-23 Found nothing
[CPsecure]
2010-02-23 Found nothing
[Sophos]
2010-02-28 Mal/TDSSRt-A
[Dr.Web]
2010-02-28 BackDoor.Tdss.565
[VirusBlokAda VBA32]
2010-02-22 Rootkit.Win32.TDSL
[Frisk F-Prot Antivirus]
2010-02-22 Found nothing
[VirusBuster]
2010-02-22 Rootkit.Alureon.Gen!Pac.7


For ServicePack3 -

Jotti says its clean - TotalVirus had said there was one (included in previous post)
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm

Re: Search Redirect Malware

Unread postby muppy03 » February 28th, 2010, 4:49 pm

Not having any problems with the redirect

Any other issues?

Please delete the version of Combofix that you have and re-download the latest from one of the links I supplied earlier.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys  
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Combofix log
  • New HJT log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Search Redirect Malware

Unread postby rjj76 » March 2nd, 2010, 11:40 am

I'll be able to run it in about 10 hours. Thanks.
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm

Re: Search Redirect Malware

Unread postby muppy03 » March 2nd, 2010, 6:11 pm

okay doki :)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Search Redirect Malware

Unread postby rjj76 » March 2nd, 2010, 10:25 pm

ComboFix:

ComboFix 10-03-02.02 - Robert Jericho 03/02/2010 18:09:46.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.497 [GMT -6:00]
Running from: c:\documents and settings\Robert Jericho\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Jericho\Desktop\CFScript.txt
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-25 02:20 . 2010-02-25 02:20 31752 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-02-20 19:45 . 2010-02-20 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-02-20 19:44 . 2010-02-20 19:44 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Citrix
2010-02-20 19:44 . 2010-02-20 19:44 61224 ----a-w- c:\documents and settings\Robert Jericho\GoToAssistDownloadHelper.exe
2010-02-20 19:22 . 2010-02-20 19:58 -------- d-----w- c:\program files\Elantech
2010-02-20 18:58 . 2010-02-20 18:58 -------- d-----w- c:\program files\Battery Meter
2010-02-20 17:06 . 2010-02-22 14:09 -------- d-----w- C:\rsit
2010-02-18 03:03 . 2010-02-18 03:03 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\GoogleToolBar
2010-02-17 02:32 . 2010-02-18 03:03 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Opera
2010-02-17 02:31 . 2010-02-27 13:33 -------- d-----w- c:\program files\Opera 10.50 Beta
2010-02-16 00:01 . 2010-02-16 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-16 00:01 . 2010-02-16 00:01 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Office Genuine Advantage
2010-02-15 20:53 . 2010-02-15 20:53 -------- d-----w- c:\program files\Trend Micro
2010-02-15 20:39 . 2009-12-16 22:05 43008 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-02-15 20:39 . 2009-12-16 22:05 340992 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-02-15 20:39 . 2009-12-16 22:05 347136 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-02-15 20:38 . 2009-12-16 22:05 1452032 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-02-15 20:38 . 2009-12-16 22:05 471040 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2010-02-15 19:56 . 2010-02-15 19:56 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Mozilla
2010-02-15 19:22 . 2010-02-15 19:22 -------- d-----w- c:\program files\Enigma Software Group
2010-02-15 19:16 . 2010-02-15 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-02-13 15:59 . 2010-02-13 15:59 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Canneverbe Limited
2010-02-13 15:59 . 2010-02-13 15:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-02-13 15:58 . 2009-11-12 19:48 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2010-02-13 15:58 . 2010-02-13 15:58 -------- d-----w- c:\program files\CDBurnerXP
2010-02-13 14:57 . 2010-02-13 14:57 -------- d-----w- c:\program files\Alwil Software
2010-02-13 14:57 . 2010-02-13 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-02-12 17:38 . 2010-02-12 17:38 52224 ----a-w- c:\documents and settings\Robert Jericho\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-12 17:38 . 2010-02-12 17:38 117760 ----a-w- c:\documents and settings\Robert Jericho\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 17:38 . 2010-02-12 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 17:37 . 2010-02-12 17:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 17:37 . 2010-02-12 17:37 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\SUPERAntiSpyware.com
2010-02-12 17:37 . 2010-02-12 17:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-12 14:31 . 2010-02-12 14:31 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Malwarebytes
2010-02-12 14:31 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-12 14:31 . 2010-02-12 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-12 14:31 . 2010-02-12 14:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 14:31 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 02:48 . 2010-02-26 00:53 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Temp
2010-02-11 00:33 . 2010-02-11 00:33 -------- d-----w- c:\windows\Sun
2010-02-05 16:39 . 2010-02-05 16:39 251376 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-05 06:41 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-05 06:41 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-02-05 05:24 . 2010-02-12 15:02 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\AdobeUM
2010-02-05 02:40 . 2010-02-05 02:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-04 04:22 . 2010-02-04 04:22 -------- d-----w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Identities
2010-02-01 01:52 . 2010-02-01 01:52 -------- d-----w- c:\windows\system32\scripting
2010-02-01 01:52 . 2010-02-01 01:52 -------- d-----w- c:\windows\l2schemas
2010-02-01 01:52 . 2010-02-01 01:52 -------- d-----w- c:\windows\system32\en
2010-02-01 01:52 . 2010-02-01 01:52 -------- d-----w- c:\windows\system32\bits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 00:02 . 2010-01-26 00:55 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\vlc
2010-02-26 02:32 . 2010-01-23 21:32 -------- d-----w- c:\program files\Java
2010-02-25 02:20 . 2010-02-25 02:20 96512 ----a-w- c:\windows\system32\drivers\tskCD.tmp
2010-02-20 19:44 . 2010-01-24 23:39 -------- d-----w- c:\program files\Citrix
2010-02-20 18:58 . 2010-01-23 20:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-12 23:47 . 2010-01-23 21:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-11 03:26 . 2010-01-24 23:17 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-08 04:30 . 2010-01-23 21:43 64368 ----a-w- c:\documents and settings\Robert Jericho\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 09:03 . 2010-01-24 16:22 -------- d-----w- c:\program files\Microsoft Works
2010-02-01 01:56 . 2010-01-23 06:17 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-01-26 00:53 . 2010-01-26 00:53 -------- d-----w- c:\program files\VideoLAN
2010-01-25 22:30 . 2010-01-25 22:30 -------- d-----w- c:\program files\MSXML 4.0
2010-01-25 09:09 . 2010-01-25 09:09 -------- d-----w- c:\program files\MSBuild
2010-01-25 09:09 . 2010-01-25 09:09 -------- d-----w- c:\program files\Reference Assemblies
2010-01-25 03:29 . 2010-01-24 18:01 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Apple Computer
2010-01-24 23:59 . 2010-01-24 23:59 -------- d-----w- c:\program files\ShopSafe
2010-01-24 23:18 . 2010-01-24 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-01-24 23:18 . 2010-01-24 23:18 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-01-24 23:05 . 2010-01-24 23:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Mindjet
2010-01-24 23:05 . 2010-01-24 23:05 -------- d-----w- c:\program files\Mindjet
2010-01-24 23:04 . 2010-01-24 23:04 -------- d-----w- c:\program files\MSXML 6.0
2010-01-24 21:39 . 2010-01-23 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-01-24 21:02 . 2010-01-24 20:30 -------- d-----w- c:\program files\All in 1 Media Codecs Pack
2010-01-24 20:59 . 2010-01-23 07:04 86016 ----a-w- c:\windows\system32\PersistenceThread.exe
2010-01-24 20:51 . 2010-01-24 20:51 -------- d-----w- c:\program files\Codec Pack - All In 1
2010-01-24 20:50 . 2010-01-24 20:51 737280 ----a-w- c:\windows\iun6002.exe
2010-01-24 20:34 . 2010-01-24 20:34 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Media Player Classic
2010-01-24 20:31 . 2010-01-24 20:31 -------- d-----w- c:\program files\Real Alternative
2010-01-24 20:31 . 2010-01-24 20:31 -------- d-----w- c:\program files\QuickTime Alternative
2010-01-24 19:31 . 2010-01-24 19:30 -------- d-----w- c:\program files\Duplicate Music Files Finder
2010-01-24 19:16 . 2010-01-24 19:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Vistanita
2010-01-24 18:00 . 2010-01-24 17:59 -------- d-----w- c:\program files\iTunes
2010-01-24 18:00 . 2010-01-24 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-24 17:59 . 2010-01-24 17:59 -------- d-----w- c:\program files\iPod
2010-01-24 17:59 . 2010-01-24 17:55 -------- d-----w- c:\program files\Common Files\Apple
2010-01-24 17:59 . 2010-01-24 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-24 17:59 . 2010-01-24 17:59 -------- d-----w- c:\program files\Bonjour
2010-01-24 17:58 . 2010-01-24 17:57 -------- d-----w- c:\program files\QuickTime
2010-01-24 17:57 . 2010-01-24 17:57 -------- d-----w- c:\program files\Apple Software Update
2010-01-24 17:55 . 2010-01-24 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-24 16:23 . 2010-01-24 16:23 -------- d-----w- c:\program files\Common Files\L&H
2010-01-24 16:23 . 2010-01-24 16:23 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-01-24 16:22 . 2010-01-24 16:22 -------- d-----w- c:\program files\Microsoft.NET
2010-01-24 15:51 . 2010-01-24 15:51 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Sunbelt
2010-01-24 15:50 . 2010-01-24 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2010-01-24 15:49 . 2010-01-24 15:49 -------- d-----w- c:\program files\Sunbelt Software
2010-01-24 15:33 . 2010-01-24 15:33 1243680 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-01-23 22:25 . 2010-01-23 22:25 395744 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-01-23 22:25 . 2010-01-23 22:25 39264 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2010-01-23 22:24 . 2010-01-23 22:24 114048 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-01-23 22:24 . 2010-01-23 22:24 -------- d-----w- c:\program files\Common Files\Acronis
2010-01-23 22:24 . 2010-01-23 22:24 -------- d-----w- c:\program files\Acronis
2010-01-23 22:16 . 2010-01-23 22:16 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\Dell
2010-01-23 22:12 . 2010-01-23 22:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7322D736-AA5F-4DD0-8E33-EA48318CC276}
2010-01-23 22:12 . 2010-01-23 06:54 -------- d-----w- c:\program files\Dell
2010-01-23 22:08 . 2010-01-23 22:08 152576 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-23 22:08 . 2010-01-23 21:42 79488 ----a-w- c:\documents and settings\Robert Jericho\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-23 22:02 . 2010-01-23 22:02 0 ----a-w- c:\windows\nsreg.dat
2010-01-23 21:59 . 2010-01-23 21:59 75 --sh--r- c:\windows\CT4CET.bin
2010-01-23 21:58 . 2010-01-23 21:58 -------- d-----w- c:\program files\Common Files\Reallusion
2010-01-23 21:58 . 2010-01-23 21:57 -------- d-----w- c:\program files\Dell Webcam
2010-01-23 21:58 . 2010-01-23 21:58 -------- d-----w- c:\program files\Creative
2010-01-23 21:57 . 2010-01-23 21:57 -------- d-----w- c:\program files\Creative Live! Cam
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Win764
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Vista32
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\XP32
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Win732
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Vista64
2010-01-23 21:51 . 2010-01-23 21:51 -------- d-----w- c:\program files\WSED
2010-01-23 21:48 . 2010-01-23 21:48 -------- d-----w- c:\program files\CapsLKNotify
2010-01-23 21:33 . 2010-01-23 21:33 -------- d-----w- c:\program files\Function Keys
2010-01-23 21:28 . 2010-01-23 21:28 69120 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\DellSupportCenter\_default\data\f9cd5860-4b46-43fa-aa04-46ba9e956204\7e7d3c88-958b-4607-85a7-8c1cc5188887.1\NOTEPAD.EXE
2010-01-23 21:28 . 2010-01-23 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-01-23 21:28 . 2010-01-23 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PCDr
2010-01-23 21:28 . 2010-01-23 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC-Doctor
2010-01-23 21:27 . 2010-01-23 21:27 -------- d-----w- c:\program files\Dell Support Center
2010-01-23 21:27 . 2010-01-23 21:27 -------- d-----w- c:\program files\Common Files\supportsoft
2010-01-23 20:44 . 2010-01-23 20:44 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-01-23 20:43 . 2010-01-23 20:23 -------- d-----w- c:\program files\Common Files\InstallShield
2010-01-23 20:41 . 2010-01-23 20:41 -------- d-----w- c:\program files\WIDCOMM
2010-01-23 20:25 . 2010-01-23 20:25 0 ----a-w- c:\windows\system32\drivers\SETBA.tmp
2010-01-23 20:23 . 2010-01-23 20:20 -------- d-----w- c:\program files\Realtek
2010-01-23 07:14 . 2010-01-23 07:14 -------- d-----w- c:\documents and settings\Robert Jericho\Application Data\InstallShield
2010-01-23 07:01 . 2010-01-23 07:01 -------- d-----w- c:\program files\Intel
2010-01-23 06:54 . 2010-01-23 06:54 45056 ----a-r- c:\documents and settings\Robert Jericho\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-01-23 06:54 . 2010-01-23 06:54 10134 ----a-r- c:\documents and settings\Robert Jericho\Application Data\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\ARPPRODUCTICON.exe
2010-01-23 06:19 . 2010-01-23 06:19 -------- d-----w- c:\program files\microsoft frontpage
2010-01-23 06:13 . 2010-01-23 06:13 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-05 10:00 . 2004-08-12 13:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-12 13:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-12 13:18 17408 ------w- c:\windows\system32\corpol.dll
2010-01-04 23:02 . 2010-01-04 23:02 27984 ----a-w- c:\windows\system32\sbbd.exe
2009-12-31 16:50 . 2004-08-12 13:30 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2010-01-23 06:12 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-12 13:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-12 13:25 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-12 13:22 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-12_23.35.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 06:02 . 2009-07-12 06:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-03-02 03:27 . 2010-03-02 03:27 16384 c:\windows\temp\Perflib_Perfdata_6d4.dat
+ 2010-01-23 21:26 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2010-01-23 21:26 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
- 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\drivers\mouclass.sys
+ 2004-08-03 22:58 . 2008-04-13 18:39 23040 c:\windows\system32\dllcache\mouclass.sys
+ 2004-08-12 13:19 . 2008-04-13 19:18 52480 c:\windows\system32\dllcache\i8042prt.sys
+ 2004-08-12 13:17 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-07-12 06:02 . 2009-07-12 06:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 06:05 . 2009-07-12 06:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2006-12-21 19:18 . 2006-12-21 19:18 497496 c:\windows\system32\XceedZip.dll
+ 2006-09-11 15:53 . 2006-09-11 15:53 276352 c:\windows\system32\XceedSco.dll
+ 2006-09-11 15:56 . 2006-09-11 15:56 526184 c:\windows\system32\XceedCry.dll
+ 2010-02-12 23:47 . 2010-02-12 23:47 153376 c:\windows\system32\javaws.exe
+ 2010-02-12 23:47 . 2010-02-12 23:47 145184 c:\windows\system32\javaw.exe
+ 2010-02-12 23:47 . 2010-02-12 23:47 145184 c:\windows\system32\java.exe
+ 2010-01-23 20:35 . 2009-03-30 21:32 129024 c:\windows\system32\drivers\ETD.sys
+ 2010-02-15 19:37 . 2010-02-15 19:37 262144 c:\windows\system32\config\systemprofile\NtUser.dat
+ 2010-02-13 19:53 . 2010-02-13 19:53 301568 c:\windows\Installer\45651bf.msi
+ 2010-02-13 14:57 . 2010-02-13 14:57 219648 c:\windows\Installer\3474885.msi
+ 2010-02-12 23:47 . 2010-02-12 23:47 570880 c:\windows\Installer\3170b.msi
- 2010-01-23 20:43 . 2010-01-23 20:43 192512 c:\windows\Installer\{543A4F31-9590-416A-A621-42CEB4C6A694}\ARPPRODUCTICON.exe
+ 2010-02-20 18:58 . 2010-02-20 18:58 192512 c:\windows\Installer\{543A4F31-9590-416A-A621-42CEB4C6A694}\ARPPRODUCTICON.exe
+ 2009-07-12 06:02 . 2009-07-12 06:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 06:02 . 2009-07-12 06:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2010-02-27 13:34 . 2010-02-27 13:34 2228736 c:\windows\Installer\20a0177.msi
+ 2010-02-20 18:58 . 2010-02-20 18:58 15831040 c:\windows\Installer\4717a4.msi
+ 2010-01-23 20:43 . 2010-02-20 18:56 16138752 c:\windows\Downloaded Installations\{FE84E1B1-4157-4A10-9799-13AE8F3B7D9F}\Battery Meter.msi
- 2010-01-23 20:43 . 2010-01-23 20:43 16138752 c:\windows\Downloaded Installations\{FE84E1B1-4157-4A10-9799-13AE8F3B7D9F}\Battery Meter.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Robert Jericho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-11 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-03-30 418816]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-03-18 320808]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-01-04 959824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-18 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-18 348160]
"PersistenceThread"="c:\windows\system32\PersistenceThread.exe" [2010-01-24 86016]
"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-11-14 37656]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]

c:\documents and settings\Robert Jericho\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-10-19 1316192]
osd_vol.exe [2005-8-6 64512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-02-20 19:44 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igdlogin]
2009-03-18 13:01 65536 ----a-w- c:\windows\system32\igdlogin.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Robert Jericho\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Robert Jericho\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Opera 10.50 Beta\\opera.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [1/23/2010 3:52 PM 14248]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [1/24/2010 10:00 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [1/24/2010 9:49 AM 202928]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [6/9/2009 8:11 AM 155648]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [1/24/2010 10:01 AM 69936]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [1/23/2010 3:57 PM 135936]
R3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [1/23/2010 2:35 PM 129024]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [1/23/2010 1:04 AM 5088896]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [1/24/2010 1:42 PM 110080]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [1/23/2010 3:45 PM 148056]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [1/23/2010 3:45 PM 133472]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [1/23/2010 3:45 PM 271328]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [1/23/2010 2:21 PM 157696]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [1/4/2010 5:02 PM 1012080]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-746137067-1801674531-1003Core.job
- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-11 02:47]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1993962763-746137067-1801674531-1003UA.job
- c:\documents and settings\Robert Jericho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-11 02:47]

2010-03-02 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\
FF - component: c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\documents and settings\Robert Jericho\Application Data\Mozilla\Firefox\Profiles\pnr3u3tv.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Robert Jericho\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Robert Jericho\Local Settings\Application Data\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\Opera 10.50 Beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 10.50 Beta\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 18:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi]
"ImagePath"="system32\drivers\tskCD.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-03-02 18:18:28
ComboFix-quarantined-files.txt 2010-03-03 00:18
ComboFix2.txt 2010-02-24 02:38

Pre-Run: 62,706,814,976 bytes free
Post-Run: 62,788,444,160 bytes free

- - End Of File - - C32FAE5D206DD2E504B383959E6602A1


Hijaak:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:59 PM, on 3/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WSED\WSED.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\PersistenceThread.exe
C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Robert Jericho\Start Menu\Programs\Startup\osd_vol.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ShopSafe Browser Helper Object - {333F6B96-3992-4D58-A499-145A10FE48C3} - C:\Program Files\ShopSafe\BhoSSafe.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe
O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PersistenceThread] C:\WINDOWS\system32\PersistenceThread.exe
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Robert Jericho\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Startup: osd_vol.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O20 - Winlogon Notify: igdlogin - C:\WINDOWS\SYSTEM32\igdlogin.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9670 bytes
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm

Re: Search Redirect Malware

Unread postby muppy03 » March 3rd, 2010, 6:39 am

Any issues or problems remaining before we clean up?
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Search Redirect Malware

Unread postby rjj76 » March 3rd, 2010, 10:14 am

Everything seems to be running well.

Any other cleanup issues?

Thank you so much for your help - this problem was way over my head.
rjj76
Regular Member
 
Posts: 16
Joined: February 15th, 2010, 4:56 pm

Re: Search Redirect Malware

Unread postby muppy03 » March 3rd, 2010, 5:16 pm

Everything seems to be running well.

Excellent! :cheers:

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    (If you use FireFox or the Opera browser,To keep saved passwords, click No at the prompt.)
    Click Exit on the Main menu to close the program.

ATF is a great tool for you to keep and use on a regular basis.

You can remove the WGA diagnostic tool, CKScanner, Hostexpert, Systemlook, Rootrepeal and TDSSkiller from your desktop.

Clean Up

Now we need to clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.
Remove ComboFix
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run then copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall

OTC
Download OTC by Old Timer here & save it to your desktop.
Double click on OTC.exe. Click on CleanUp!.
You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
It will restart your computer automatically. If it doesn't, please restart your computer manually.

Here are some free programs I recommend that could help you improve your computer's security.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Read some information here how to prevent Malware.


Please reply if you have any problems or questions :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Search Redirect Malware

Unread postby NonSuch » March 6th, 2010, 10:31 pm

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 483 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware