Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Redirector problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Redirector problem

Unread postby tahoeles » June 21st, 2010, 8:23 pm

Hi DFW. Since my last post I have tried to get GMER to work and give you the log you want. It keeps hanging my system. I have tried deleting the file and reloading it, removing all but one checkmark on the right hand side, and I still get the same results. System hang. I can run the program and it initially opens wit a list of about 10 items. Following your instructions, I removed the check marks from IAT/EAT, show all, and any drive but C and hit scan. It starts off very fast and then slows down while running through items on the C drive. It keeps getting slower and slower and I let it run all night, last night, thinking maybe I was asking to "Save" before the scan had completed. In all cases the "Save" screen takes minutes to come up with the "waving flashlight" and no name in the file name line. At this point, I can do nothing. Any click I make gives me an hourglass which dosen't stop and I am locked up. I need to power down to restore my system.

Ideas?

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top
Advertisement
Register to Remove

Re: Redirector problem

Unread postby tahoeles » June 21st, 2010, 8:28 pm

Well, I feel stupid again. I didn't read your last post until just now. So, disregard my last post and I will try the new things you suggested.

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby tahoeles » June 22nd, 2010, 3:14 am

Still hving issues with GMER. Since my last post I have deleted Spybot, run DeFogger (it didn't ask me for a restart, but I did it anyway), deleted GMER from my desk top and downloaded it again from your link. when I run GMER, before I can click any boxes I get this (from save button in GMER)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-21 23:50:19
Windows 5.1.2600 Service Pack 3
Running: 7bw6p4xd.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pgldipog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85A1CCEC

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

I then click off the check boxes you want and click scan. I have done this senerio a number of times....and every time it starts to run fast and then either stops completly (at different locations) or slows to a crawl. The only way to get out of the program is to power down my machine.

When I download the GMER program from your link, the file name is always a different, seemingly random 8 place alphameric. Is this normal?

The bottom line is GMER hangs my machine.

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby tahoeles » June 22nd, 2010, 3:17 am

DFW, is it of any value to you to know where I am being redirected? IF so, I will try to keep a more detailed log on when and from where I was clicking.
Let me know.

Thanks,

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby DFW » June 22nd, 2010, 4:15 am

Hi tahoeles.

When I download the GMER program from your link, the file name is always a different, seemingly random 8 place alphameric. Is this normal?

This is perfectly normal and what is known as a randomiser download.



Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: If it is necessary to restore the registry, open the backup folder and start ERDNT.exe




Scan with TDSSKiller:
Please only run TDSSKiller once, any problems inform me straight away

Please download TDSSKiller.zip and extract it to the Desktop.

From within the newly created tdsskiller folder move TDSSKiller.exe to the desktop and delete the tdsskiller folder.

Click on Start >> Run... >> copy in the following text, and press Enter:
Code: Select all
"%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v
A Command Window will appear, follow the prompts.
There will be a log on your desktop when the scan is completed with the name report.

Copy and paste the contents of this log into your next reply.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Top

Re: Redirector problem

Unread postby tahoeles » June 22nd, 2010, 6:57 pm

DFW, things didn't exactly happen as I expected....I downloaded ERUNT and ran it - no problems. I downloaded TDSS, extracted and moved the application program to the desktop and deleted the new folder I had made.
I clicked on the application and it immediatly started to run. Since I cannot copy the results, I will dictate what is said.

Info about TDSS

Scanning Services....

Scanning Drivers....
File "C:\Windows\system32\Drivers\rasacd.sys" infected by IDSS rootkit ... will be cured on next reboot

Completed

Results:
Registry objects infected / cured / cured on reboot: 0 / 0/ 0
File objects infected / cured / cured on reboot: 1 /0 /1

To finalize removal of infection and avoid loosing of data program will reboot your PC now.
Close all programs and press Y to restart or N to continue

What do you want me to do?
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby tahoeles » June 22nd, 2010, 7:19 pm

OK, I reread your last instruction and saw that you wanted me to start the program fron the command line and not directly by clicking on the application. So I clicked N for no and the program terminated. I reran TDSS from the command line as you requested and here is the log: (I have not rebooted)

16:14:16:803 4084 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
16:14:16:803 4084 ================================================================================
16:14:16:803 4084 SystemInfo:

16:14:16:803 4084 OS Version: 5.1.2600 ServicePack: 3.0
16:14:16:803 4084 Product type: Workstation
16:14:16:803 4084 ComputerName: TOPGUN
16:14:16:803 4084 UserName: Compaq_Administrator
16:14:16:803 4084 Windows directory: C:\WINDOWS
16:14:16:803 4084 Processor architecture: Intel x86
16:14:16:803 4084 Number of processors: 1
16:14:16:803 4084 Page size: 0x1000
16:14:16:865 4084 Boot type: Normal boot
16:14:16:865 4084 ================================================================================
16:14:17:053 4084 Initialize success
16:14:17:053 4084
16:14:17:053 4084 Scanning Services ...
16:14:17:428 4084 Raw services enum returned 371 services
16:14:17:443 4084
16:14:17:443 4084 Scanning Drivers ...
16:14:18:131 4084 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:14:18:178 4084 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:14:18:224 4084 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:14:18:271 4084 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:14:18:365 4084 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
16:14:18:568 4084 ALCXWDM (7f26d024355cbadb60838f53dfb171ec) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
16:14:18:678 4084 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
16:14:18:724 4084 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
16:14:18:740 4084 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
16:14:18:756 4084 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
16:14:18:771 4084 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
16:14:18:834 4084 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:14:18:834 4084 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
16:14:18:896 4084 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:14:18:928 4084 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:14:19:021 4084 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:14:19:053 4084 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:14:19:068 4084 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:14:19:084 4084 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:14:19:303 4084 BHDrvx86 (87c00decc19bd995217a4a5fdd4d638c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100522.001\BHDrvx86.sys
16:14:19:334 4084 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:14:19:381 4084 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
16:14:19:459 4084 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINDOWS\system32\drivers\N360\0402000.00C\ccHPx86.sys
16:14:19:490 4084 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:14:19:506 4084 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:14:19:537 4084 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:14:19:599 4084 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:14:19:646 4084 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:14:19:678 4084 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:14:19:678 4084 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:14:19:709 4084 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:14:19:740 4084 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:14:19:849 4084 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
16:14:19:881 4084 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
16:14:19:912 4084 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:14:19:928 4084 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
16:14:19:943 4084 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:14:19:959 4084 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
16:14:19:990 4084 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:14:20:006 4084 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:14:20:021 4084 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:14:20:053 4084 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
16:14:20:084 4084 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:14:20:099 4084 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:14:20:178 4084 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:14:20:224 4084 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:14:20:271 4084 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys
16:14:20:506 4084 IDSxpx86 (231c3f6d5c520e99924e1e37401a90c4) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100617.005\IDSxpx86.sys
16:14:20:521 4084 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:14:20:553 4084 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:14:20:568 4084 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:14:20:599 4084 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:14:20:615 4084 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:14:20:631 4084 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:14:20:662 4084 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:14:20:678 4084 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:14:20:709 4084 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:14:20:724 4084 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:14:20:740 4084 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:14:20:787 4084 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
16:14:20:849 4084 klmdb (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmdb.sys
16:14:20:912 4084 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:14:20:943 4084 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:14:20:990 4084 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
16:14:21:006 4084 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:14:21:053 4084 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:14:21:084 4084 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:14:21:115 4084 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:14:21:131 4084 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:14:21:162 4084 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:14:21:271 4084 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:14:21:287 4084 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:14:21:318 4084 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:14:21:334 4084 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:14:21:365 4084 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:14:21:396 4084 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:14:21:428 4084 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
16:14:21:443 4084 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:14:21:475 4084 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
16:14:21:678 4084 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100622.003\NAVENG.SYS
16:14:21:740 4084 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100622.003\NAVEX15.SYS
16:14:21:896 4084 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:14:21:928 4084 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
16:14:21:959 4084 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:14:21:975 4084 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:14:21:990 4084 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:14:22:021 4084 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:14:22:037 4084 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:14:22:271 4084 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:14:22:443 4084 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:14:22:459 4084 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:14:22:490 4084 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:14:22:521 4084 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:14:22:553 4084 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:14:22:568 4084 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:14:22:584 4084 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:14:22:600 4084 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:14:22:615 4084 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:14:22:646 4084 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:14:22:662 4084 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:14:22:693 4084 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:14:22:709 4084 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:14:22:771 4084 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:14:22:787 4084 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
16:14:22:803 4084 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
16:14:22:818 4084 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:14:22:834 4084 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:14:22:865 4084 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:14:22:928 4084 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\drivers\tsk1B.tmp
16:14:22:943 4084 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:14:22:959 4084 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:14:22:975 4084 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:14:23:006 4084 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:14:23:021 4084 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:14:23:037 4084 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:14:23:068 4084 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:14:23:100 4084 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:14:23:146 4084 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
16:14:23:178 4084 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
16:14:23:209 4084 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:14:23:240 4084 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
16:14:23:256 4084 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:14:23:303 4084 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
16:14:23:334 4084 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:14:23:365 4084 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:14:23:443 4084 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS
16:14:23:475 4084 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\N360\0402000.00C\SRTSPX.SYS
16:14:23:521 4084 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:14:23:568 4084 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
16:14:23:584 4084 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:14:23:600 4084 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:14:23:678 4084 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\N360\0402000.00C\SYMDS.SYS
16:14:23:709 4084 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINDOWS\system32\drivers\N360\0402000.00C\SYMEFA.SYS
16:14:23:756 4084 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
16:14:23:865 4084 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\N360\0402000.00C\Ironx86.SYS
16:14:23:896 4084 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS
16:14:23:959 4084 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:14:24:006 4084 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:14:24:053 4084 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:14:24:068 4084 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:14:24:100 4084 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:14:24:146 4084 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:14:24:209 4084 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:14:24:271 4084 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
16:14:24:303 4084 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:14:24:334 4084 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:14:24:350 4084 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:14:24:365 4084 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
16:14:24:381 4084 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:14:24:412 4084 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:14:24:443 4084 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:14:24:490 4084 USBZC0301 (b1050e535df08d393d797918fb0e03dc) C:\WINDOWS\system32\Drivers\usbcam.sys
16:14:24:506 4084 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:14:24:521 4084 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
16:14:24:553 4084 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:14:24:584 4084 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:14:24:631 4084 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:14:24:662 4084 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
16:14:24:693 4084 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:14:24:709 4084 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:14:24:709 4084
16:14:24:709 4084 Completed
16:14:24:709 4084
16:14:24:709 4084 Results:
16:14:24:709 4084 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:14:24:709 4084 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:14:24:709 4084
16:14:24:834 4084 KLMD(ARK) unloaded successfully
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby DFW » June 23rd, 2010, 9:37 am

Hi tahoeles.

Reboot your system if you have not already done so,

We are going to need to run GMER and RSIT again to make sure the infection was removed by tdsskiller


Run RSIT

Please note there will be only one log this time.

  • RUN random's system information tool by doulbe clicking on (RSIT)on your desktop
  • Click Continue at the disclaimer screen.
  • Once it has finished, one log will open.
  • Please post the contents into next reply




Double click the random .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

Image

Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply[/list]**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.


When completed the above, please post back the following in the order asked for:

GMER Log
RSIT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Top

Re: Redirector problem

Unread postby tahoeles » June 24th, 2010, 5:48 am

Hi DFW. The redirector seems to be gone! Awsome work! Thank you. I have been reading up on root kits and I now understand why GMER randomizes its file name. It's sure nice to have guys like you around who understand all of the nasty stuff hackers try to do with peoples systems. A donation will be comming your way.

here are the logs you requested: (in two seperate posts in case GMER fails again)

Logfile of random's system information tool 1.07 (written by random/random)
Run by Compaq_Administrator at 2010-06-24 02:38:35
Microsoft Windows XP Professional Service Pack 3
System drive C: has 98 GB (43%) free of 230 GB
Total RAM: 958 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:38:42 AM, on 6/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Compaq_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - c:\program files\billeo\billeo.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - c:\program files\billeo\billeo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.ede.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - c:\program files\billeo\billeo.dll (HKCU)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7326998125
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://rad.interwise.com/rad/applicatio ... taller.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)

--
End of file - 11374 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{1BA3DE38-4B85-402C-A165-1AA178EB55F0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-03-07 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{465E08E7-F005-4389-980F-1D8764B3486C}]
Billeo - c:\program files\billeo\billeo.dll [2010-06-19 3620688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll [2010-05-12 394608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL [2009-11-16 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-06-22 278192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}]
hpWebHelper Class - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll [2006-05-30 208896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-06-05 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar Helper - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-11 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - Billeo - c:\program files\billeo\billeo.dll [2010-06-19 3620688]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-04-01 880368]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - MSN Toolbar - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll [2008-11-08 83800]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll [2010-05-12 394608]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-06-22 278192]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"AlwaysReady Power Message APP"=C:\WINDOWS\ARPWRMSG.EXE [2005-08-02 77312]
"DMAScheduler"=c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe [2005-11-01 90112]
""= []
"PCDrProfiler"= []
"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2005-11-09 249856]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe []
"KBD"=C:\HP\KBD\KBD.EXE [2005-02-02 61440]
"PrinTray"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe [2001-10-12 36864]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2010-03-12 49208]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-04-03 36272]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-03-07 202256]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-17 421888]
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"1&1 EasyLogin"=C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe [2009-08-18 2200576]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"=1&1 EasyLogin HIDE []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-05-23 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2010-03-17 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
C:\PROGRA~1\COMPAQ~1\5577497\Program\COMPAQ~1.EXE [2006-02-14 36903]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
billeo.lnk - C:\Program Files\Billeo\billeo.exe
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.ede.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-08-13 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2003-03-03 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-06-19 702768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Disabled:RealPlayer"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Disabled:Earthlink"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"="C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Disabled:Compaq Connections"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\Program Files\HP Rhapsody\rhapsody.exe"="C:\Program Files\HP Rhapsody\rhapsody.exe:*:Disabled:Rhapsody"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Disabled:HP Software Update Client"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Disabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Disabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Disabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Disabled:Windows Media Player"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Disabled:DNA"
"C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe"="C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe:*:Enabled:Compaq Connections"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 3 months======

2010-06-23 16:55:59 ----D---- C:\Backup
2010-06-22 15:25:58 ----A---- C:\TDSSKiller.2.3.2.0_22.06.2010_15.25.58_log.txt
2010-06-22 15:07:12 ----D---- C:\WINDOWS\ERDNT
2010-06-22 15:06:24 ----D---- C:\Program Files\ERUNT
2010-06-14 15:42:17 ----D---- C:\rsit
2010-06-12 23:23:14 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\Malwarebytes
2010-06-12 23:22:52 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-06-12 23:22:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-06-12 00:04:21 ----A---- C:\WINDOWS\system32\MRT.INI
2010-06-11 23:58:48 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-06-09 00:07:05 ----D---- C:\Movies
2010-06-05 02:53:37 ----HDC---- C:\WINDOWS\$NtUninstallKB981793$
2010-05-18 17:07:14 ----RA---- C:\WINDOWS\system32\GEARAspi.dll
2010-05-18 17:06:25 ----D---- C:\Program Files\Windows Sidebar
2010-05-18 17:06:25 ----D---- C:\Program Files\Norton Security Suite
2010-05-18 17:06:13 ----D---- C:\Program Files\NortonInstaller
2010-05-18 17:06:13 ----D---- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-05-18 15:44:52 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-05-18 03:26:36 ----D---- C:\Program Files\Common Files\Java
2010-05-18 03:25:42 ----D---- C:\Program Files\QuickTime
2010-05-18 03:14:53 ----D---- C:\Program Files\Common Files\AnswerWorks 4.0
2010-05-18 03:13:35 ----D---- C:\WINDOWS\system32\FxsTmp
2010-05-18 00:32:08 ----D---- C:\Program Files\Microsoft Security Essentials
2010-05-17 14:33:14 ----SHD---- C:\WINDOWS\CSC
2010-05-15 18:05:25 ----D---- C:\Program Files\QuickTime(2)
2010-05-15 17:51:30 ----D---- C:\Program Files\Common Files\Java(2)
2010-05-13 16:59:44 ----D---- C:\Config.Msi
2010-05-13 16:33:35 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-11 20:00:26 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-04-14 14:04:32 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 14:04:04 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 14:01:24 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 14:00:48 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 13:59:29 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 13:58:39 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$

======List of files/folders modified in the last 3 months======

2010-06-24 02:06:52 ----SD---- C:\WINDOWS\Tasks
2010-06-24 00:11:12 ----SHD---- C:\System Volume Information
2010-06-24 00:10:56 ----D---- C:\WINDOWS\Temp
2010-06-24 00:10:55 ----D---- C:\WINDOWS\Registration
2010-06-24 00:10:41 ----AD---- C:\WINDOWS
2010-06-24 00:09:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-06-23 22:05:18 ----D---- C:\WINDOWS\Prefetch
2010-06-23 15:49:24 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2010-06-23 15:46:42 ----D---- C:\WINDOWS\system32\drivers
2010-06-23 01:58:10 ----SHD---- C:\WINDOWS\Installer
2010-06-22 15:26:08 ----D---- C:\WINDOWS\system32\CatRoot2
2010-06-22 15:06:24 ----D---- C:\Program Files
2010-06-22 00:05:11 ----D---- C:\WINDOWS\system32
2010-06-21 17:33:32 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-19 02:16:55 ----A---- C:\WINDOWS\ACTWIN2.INI
2010-06-19 01:55:06 ----D---- C:\Program Files\Billeo
2010-06-14 14:55:01 ----HDC---- C:\WINDOWS\$NtUninstallKB945553$
2010-06-14 03:56:15 ----HD---- C:\WINDOWS\inf
2010-06-12 00:52:27 ----D---- C:\WINDOWS\Microsoft.NET
2010-06-12 00:52:12 ----RSD---- C:\WINDOWS\assembly
2010-06-12 00:13:12 ----HD---- C:\WINDOWS\$hf_mig$
2010-06-12 00:10:09 ----D---- C:\Program Files\Internet Explorer
2010-06-12 00:06:23 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-06-11 23:58:59 ----A---- C:\WINDOWS\imsins.BAK
2010-06-11 23:57:09 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-06-11 23:56:40 ----D---- C:\WINDOWS\WinSxS
2010-06-09 23:13:12 ----D---- C:\WINDOWS\system32\CatRoot
2010-06-09 22:31:39 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-06-05 02:59:53 ----D---- C:\Program Files\Microsoft Silverlight
2010-06-05 02:54:37 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-05-28 12:37:34 ----A---- C:\WINDOWS\system32\MRT.exe
2010-05-19 03:04:37 ----D---- C:\Program Files\Outlook Express
2010-05-19 02:58:00 ----D---- C:\Program Files\Windows Desktop Search
2010-05-18 17:11:14 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-05-18 17:07:03 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-05-18 17:06:56 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2010-05-18 04:43:17 ----D---- C:\WINDOWS\system32\config
2010-05-18 04:40:19 ----D---- C:\WINDOWS\system32\wbem
2010-05-18 04:08:52 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp
2010-05-18 03:26:33 ----D---- C:\Program Files\Common Files
2010-05-18 03:18:16 ----D---- C:\Program Files\GemMaster
2010-05-18 03:17:38 ----D---- C:\Program Files\Microsoft Works
2010-05-18 03:13:36 ----D---- C:\WINDOWS\system32\inetsrv
2010-05-18 03:13:36 ----D---- C:\WINDOWS\addins
2010-05-18 00:00:14 ----SHD---- C:\RECYCLER
2010-05-17 13:56:26 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-05-17 13:56:25 ----D---- C:\Program Files\Microsoft Office
2010-05-17 13:54:02 ----D---- C:\Program Files\interwise
2010-05-12 04:17:01 ----D---- C:\Rancho ReDue
2010-05-10 23:54:17 ----D---- C:\WINDOWS\network diagnostic
2010-05-06 03:41:53 ----A---- C:\WINDOWS\system32\wininet.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\urlmon.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\occache.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\mstime.dll
2010-05-06 03:41:52 ----A---- C:\WINDOWS\system32\mshtml.dll
2010-05-06 03:41:51 ----N---- C:\WINDOWS\system32\jsproxy.dll
2010-05-06 03:41:51 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2010-05-06 03:41:51 ----A---- C:\WINDOWS\system32\msfeeds.dll
2010-05-06 03:41:50 ----A---- C:\WINDOWS\system32\iertutil.dll
2010-05-06 03:41:50 ----A---- C:\WINDOWS\system32\iepeers.dll
2010-05-06 03:41:49 ----A---- C:\WINDOWS\system32\ieframe.dll
2010-05-06 03:41:48 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2010-05-05 06:30:57 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2010-04-21 06:28:50 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-04-20 23:49:50 ----D---- C:\Documents and Settings\Compaq_Administrator\Application Data\HpUpdate
2010-04-14 13:59:05 ----D---- C:\WINDOWS\ie8updates
2010-04-06 04:52:46 ----A---- C:\WINDOWS\system32\WMVCore.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 BHDrvx86;BHDrvx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys []
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\system32\drivers\N360\0402000.00C\ccHPx86.sys [2010-02-25 501888]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\N360\0402000.00C\SRTSPX.SYS [2010-04-21 43696]
R1 SymIRON;Symantec Iron Driver; C:\WINDOWS\system32\drivers\N360\0402000.00C\Ironx86.SYS [2010-04-28 116784]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\N360\0402000.00C\SYMTDI.SYS [2010-05-05 361904]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2009-08-13 1163328]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-08-29 3644928]
R3 aracpi;aracpi; C:\WINDOWS\system32\DRIVERS\aracpi.sys [2005-08-02 22784]
R3 arhidfltr;MS Ar HID Filter Driver; C:\WINDOWS\system32\DRIVERS\arhidfltr.sys [2005-08-02 19200]
R3 arkbcfltr;Microsoft PS2 Keyboard Filter; C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys [2005-08-02 5376]
R3 armoucfltr;Microsoft PS2 Mouse Filter; C:\WINDOWS\system32\DRIVERS\armoucfltr.sys [2005-08-02 4992]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ARPolicy;ARPolicy; C:\WINDOWS\system32\DRIVERS\arpolicy.sys [2005-08-02 10112]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-13 1313792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100623.001\IDSxpx86.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100623.024\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100623.024\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2009-03-25 130432]
R3 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\N360\0402000.00C\SRTSP.SYS [2010-04-21 325680]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 USBZC0301;USB Web Camera; C:\WINDOWS\System32\Drivers\usbcam.sys [2002-04-24 111272]
S2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-09 11008]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [2009-03-27 14336]
R2 ARSVC;ARSVC; C:\WINDOWS\arservice.exe [2005-08-02 58880]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Intel File Transfer;Intel File Transfer; C:\WINDOWS\system32\cba\xfr.exe [2003-01-10 36915]
R2 Intel PDS;Intel PDS; C:\WINDOWS\system32\cba\pds.exe [2003-01-10 32819]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-12-18 73728]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 N360;Norton Security Suite; C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe [2010-02-25 126392]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe []
S2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe []
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-02 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 183280]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-12-17 153376]
S2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]

-----------------EOF-----------------
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby DFW » June 24th, 2010, 1:10 pm

Hi tahoeles.

Thankyou for the RSIT Log, can you rerun GMER as asked in my last post and post the GMER log when you can..
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Top

Re: Redirector problem

Unread postby tahoeles » June 24th, 2010, 9:24 pm

Still problems with GMER. As requested, I downladed a new copy of Gmer and ran it. It seemed to run fine but takes hours to complete. I left it running and went to bed. Today, I tried to save the results, but as usual for me, it hung my system. Only about one page of details. I will try again now and see if I can stop it and save the results.

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby tahoeles » June 25th, 2010, 5:41 am

Another frustrating day with GMER....I downloaded a new copy of GMER, ran it, stoped it and tried to save. After a long wait, I got the save screen and was able to put gmer.txt in the open line and tried to save. Save page went blank with constant hourglass. I was able to go to START, shutdown, clicked on restart and waited. The following items came up as not responding: (I clicked end now)
arpwrmsg
DMA Schedular Window
HPWU
realsched.exe
QTPlayer Tray Icon
Google ToolBarNo
billeo.exe (Iuse Billeo to store my passwords only)
ccSvcHst (I seem to see this not responding a lot)
HPSYSDRV
ctfmon.exe
explorer.exe
Hidden Fax Window

Then my system hung again, power down.

Next try. Powered up and exited out of 1and1, Billeo, and Quick Time in the system tray. Loaded new copy of GMER, ran TFC, opened GMER (but didn't Scan). Hit the Save button and waited. Pretty much the same as before except I didn't have as many non responding programs after I hit restart.
DDE Server Window
Realsched
ccSvcHst
Got as far as "Saving your Settings" and a window pooped up with
"HP Boot Optimizer encountered a problem and needs to close...etc."
Next step - power down.

Something in my system and GMER don't like each other....

One good thing, I don't seem to be getting redirected any more.

Les
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby DFW » June 25th, 2010, 7:50 am

Hi tahoeles.

Dont worry about running GMER, Run the Tool below and post it's log.


First back up the Registry with ERUNT first

  • Start ERUNT either by double clicking on the desktop icon or from the strart menu.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic below
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Double click combofix.exe & follow the prompts.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper



Once Combofix has run, please run Hijackthis and create a new log.



Postback in this order Please

ComboFix Log
Hijackthis
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK
Top

Re: Redirector problem

Unread postby tahoeles » June 26th, 2010, 5:23 am

Hi DFW, here is the ComboFix Log HJT log in next post:

ComboFix 10-06-25.02 - Compaq_Administrator 06/26/2010 1:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.407 [GMT -7:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\ComboFix.exe
AV: Norton Security Suite *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-22 22:06 . 2010-06-22 22:06 -------- d-----w- c:\program files\ERUNT
2010-06-19 08:30 . 2010-06-16 05:37 4236800 ----a-w- c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\hn62a5sz.default\extensions\{4be68a18-deba-49e0-9e09-ee7796f3b62a}\components\billeotoolbar.dll
2010-06-15 05:01 . 2010-06-15 05:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-15 05:01 . 2010-06-15 05:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-14 22:42 . 2010-06-24 09:50 -------- d-----w- C:\rsit
2010-06-13 06:23 . 2010-06-13 06:23 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2010-06-13 06:22 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-13 06:22 . 2010-06-13 06:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 06:22 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-13 06:22 . 2010-06-13 06:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 20:02 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 08:51 . 2010-06-11 08:51 388096 ----a-r- c:\documents and settings\Compaq_Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-09 07:07 . 2010-06-09 07:09 -------- d-----w- C:\Movies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 03:32 . 2010-02-01 08:41 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\mjusbsp
2010-06-26 01:51 . 2008-08-27 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-06-23 22:46 . 2004-08-09 21:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-06-23 00:57 . 2010-06-23 00:57 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb6C.tmp.exe
2010-06-22 07:05 . 2010-05-14 12:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-22 00:33 . 2006-06-09 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-19 08:55 . 2007-06-15 08:20 -------- d-----w- c:\program files\Billeo
2010-06-10 05:32 . 2010-05-18 10:25 -------- d-----w- c:\program files\QuickTime
2010-06-10 05:31 . 2008-01-02 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-05 09:59 . 2008-05-18 23:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-19 09:58 . 2009-01-07 08:45 -------- d-----w- c:\program files\Windows Desktop Search
2010-05-19 04:07 . 2010-05-19 04:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2010-05-19 04:06 . 2010-05-19 04:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-05-19 00:11 . 2006-02-14 20:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-19 00:06 . 2010-05-19 00:06 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-19 00:06 . 2010-05-19 00:06 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-19 00:06 . 2006-05-07 00:07 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-19 00:06 . 2006-05-07 00:07 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-19 00:06 . 2010-05-19 00:06 -------- d-----w- c:\program files\Norton Security Suite
2010-05-19 00:06 . 2010-05-19 00:06 -------- d-----w- c:\program files\Windows Sidebar
2010-05-19 00:06 . 2010-05-18 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-19 00:06 . 2010-05-19 00:06 -------- d-----w- c:\program files\NortonInstaller
2010-05-19 00:06 . 2010-05-19 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-05-19 00:02 . 2006-02-14 19:34 54488 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 10:26 . 2010-05-18 10:26 -------- d-----w- c:\program files\Common Files\Java
2010-05-18 10:26 . 2010-05-16 00:51 -------- d-----w- c:\program files\Common Files\Java(2)
2010-05-18 10:25 . 2010-05-16 01:05 -------- d-----w- c:\program files\QuickTime(2)
2010-05-18 10:18 . 2006-02-14 19:10 -------- d-----w- c:\program files\GemMaster
2010-05-18 10:17 . 2006-02-14 19:44 -------- d-----w- c:\program files\Microsoft Works
2010-05-18 10:14 . 2010-05-18 10:14 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2010-05-18 10:13 . 2010-05-18 07:32 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-05-17 20:54 . 2007-11-06 18:58 -------- d-----w- c:\program files\interwise
2010-05-06 10:41 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2008-07-14 01:33 . 2008-07-14 01:33 1658337 ----a-w- c:\program files\F15 crash.flv
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" [X]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-08-18 2200576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
"cdloader"="c:\documents and settings\Compaq_Administrator\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"DMAScheduler"="c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 90112]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-28 221184]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-07 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
billeo.lnk - c:\program files\Billeo\billeo.exe [2007-8-31 1446736]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.ede.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Application Data\\mjusbsp\\magicJack.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0402000.00C\symds.sys [6/5/2010 1:37 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0402000.00C\symefa.sys [6/5/2010 1:37 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100619.001\BHDrvx86.sys [6/22/2010 4:38 PM 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0402000.00C\cchpx86.sys [6/5/2010 1:37 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0402000.00C\ironx86.sys [6/5/2010 1:37 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.2.0.12\ccsvchst.exe [6/5/2010 1:36 AM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/5/2010 1:33 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100625.001\IDSXpx86.sys [6/25/2010 8:09 PM 331640]
R3 USBZC0301;USB Web Camera;c:\windows\system32\drivers\usbcam.sys [4/24/2002 3:45 AM 111272]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2009 5:08 PM 133104]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-06-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 10:24]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 00:08]

2010-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-03 00:08]

2010-06-26 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-06-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2153165873-2257741584-3163000109-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-06-26 c:\windows\Tasks\User_Feed_Synchronization-{1BA3DE38-4B85-402C-A165-1AA178EB55F0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: bidsync.com\www
Trusted Zone: turbotax.com
DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} - hxxp://rad.interwise.com/rad/applicatio ... taller.cab
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\hn62a5sz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\hn62a5sz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\hn62a5sz.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-vptray - c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe
SafeBoot-klmdb.sys
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
AddRemove-LiveUpdate1.7 - c:\program files\\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-LSI Soft Modem - c:\windows\agrsmdel



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 02:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.2.0.12\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2153165873-2257741584-3163000109-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2153165873-2257741584-3163000109-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,e8,d1,b0,19,ad,22,43,b7,6a,a0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,e8,d1,b0,19,ad,22,43,b7,6a,a0,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-26 02:09:18
ComboFix-quarantined-files.txt 2010-06-26 09:09

Pre-Run: 102,908,919,808 bytes free
Post-Run: 102,865,907,712 bytes free

- - End Of File - - 884A0D2D1030C09F203F9431AD9CD655
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top

Re: Redirector problem

Unread postby tahoeles » June 26th, 2010, 5:28 am

And here is the HJT log. I hope you find something interesting!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:26:33 AM, on 6/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Billeo\billeo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Billeo - {465E08E7-F005-4389-980F-1D8764B3486C} - c:\program files\billeo\billeo.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Billeo - {6ADB0F93-1AA5-4BCF-9DF4-CEA689A3C111} - c:\program files\billeo\billeo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0983.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Compaq_Administrator\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKUS\S-1-5-21-2153165873-2257741584-3163000109-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-2153165873-2257741584-3163000109-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - HKUS\S-1-5-21-2153165873-2257741584-3163000109-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10e.exe (User 'Administrator')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: billeo.lnk = C:\Program Files\Billeo\billeo.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.ede.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Billeo - {97ED3A9F-CD6F-473A-8FE1-7505C1B844C3} - c:\program files\billeo\billeo.dll (HKCU)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 7326998125
O16 - DPF: {7A162288-DE78-473C-A6BA-23FF17F768E9} (AxWebInstaller Control) - http://rad.interwise.com/rad/applicatio ... taller.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: DefWatch - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)

--
End of file - 11543 bytes
tahoeles
Regular Member
 
Posts: 24
Joined: June 11th, 2010, 3:28 am
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 163 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index