Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TDS rootkit - Stopped Working!

Started by tom96 , Feb 26 2011 12:17 PM

  • This topic is locked This topic is locked

#1
tom96
Posted 26 February 2011 - 12:17 PM

tom96

    Member

  • Member
  • PipPip
  • 13 posts
My computer has the browser redirect virus. A dell Vostro 1400 running Vista business. I have been following the instructions on the "How to Fix Google redirects.." page at Geeks to Go. Here is my progress to date:

1)ran OTL; the log is below
2)did not run ERUNT because the download site said it was not for VISTA.
3)ran OTM: logs are below
4)ran GooredFix: logs are below
5)TDSSKiller would not install. I tried several times and it always stopped at 80% - the error message is below.

Any advice on how to proceed would be greatly appreciated.
Thanks

Tom

-----BEGIN TDSSKiller Error Mesage:----------------------------------------------

TDSS rootkit removing tool has stopped working

Problem signature:
Problem Event Name: BEX
Application Name: TDSSKiller.exe
Application Version: 2.4.18.0
Application Timestamp: 4d621d9c
Fault Module Name: TDSSKiller.exe
Fault Module Version: 2.4.18.0
Fault Module Timestamp: 4d621d9c
Exception Offset: 00055e49
Exception Code: c0000409
Exception Data: 00000000
OS Version: 6.0.6000.2.0.0.256.6
Locale ID: 1033
Additional Information 1: ce8c
Additional Information 2: dc9a101f8fcc6675f457071cf59eed65
Additional Information 3: e300
Additional Information 4: 486a5f8bfc817dae7554e7633eb8d941

-----END of TDSKiller error message---------------------------------------------------------


-----BEGIN OTM Log--------------------------------------------------------------------------
All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\____________Bredirect Geeks to go\cmd.bat deleted successfully.
C:\____________Bredirect Geeks to go\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: __
->Temp folder emptied: 575634256 bytes
->Temporary Internet Files folder emptied: 19271820 bytes
->Java cache emptied: 7116463 bytes
->FireFox cache emptied: 54629078 bytes
->Flash cache emptied: 409481 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4215988 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 115756288 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 11870 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 741.00 mb

Error creating restore point.

OTM by OldTimer - Version 3.1.17.2 log created on 02262011_080801

Files moved on Reboot...
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LLWT234Y\5338464b5255316d2f646341424a3767[2].htm moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LLWT234Y\default[1].htm not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LLWT234Y\login[1].htm not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LLWT234Y\prototype[1].js not found!
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J1ND1VPZ\latestnews4[1].htm moved successfully.
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J1ND1VPZ\tvshows[1].htm not found!
File C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HF4QMJCG\1478890373[1] not found!

Registry entries deleted on Reboot...

-----END OTM Log file---------------------------------------------------------------------------------------


-----BEGIN Goored Log File----------------------------------------------------------------------------------
GooredFix by jpshortstuff (03.07.10.1)
Log created at 10:19 on 26/02/2011 (__)
Firefox version 3.6.12 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [12:42 01/11/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [15:54 02/10/2010]

C:\Users\__\Application Data\Mozilla\Firefox\Profiles\yfgeg5n5.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(none)

-=E.O.F=-

------END GooredFix log file-----------------------------------------------------------------------



-----Begin OTL Log--------------------------------------------------------------------------------
OTL logfile created on: 2/25/2011 9:29:03 PM - Run 1
OTL by OldTimer - Version 3.2.22.0 Folder = C:\____________Bredirect Geeks to go
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16764)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 107.21 Gb Total Space | 7.11 Gb Free Space | 6.63% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.40 Gb Free Space | 70.09% Space Free | Partition Type: NTFS

Computer Name: __LAPTOP | User Name: __ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/25 21:22:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\____________Bredirect Geeks to go\OTL.exe
PRC - [2010/10/27 01:10:00 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/10/29 01:20:29 | 002,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/05/28 10:37:33 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2007/10/09 12:55:58 | 000,665,600 | ---- | M] (SSC Localization Group) -- C:\Program Files\Epson-SSC Service Utility\ssc_serv.exe
PRC - [2007/08/21 10:33:14 | 000,554,616 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2007/08/21 10:32:40 | 000,108,648 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2007/08/21 10:31:44 | 000,047,712 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
PRC - [2007/06/27 05:17:02 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/06/27 05:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/05/25 12:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) -- C:\Program Files\Dell Network Assistant\hnm_svc.exe
PRC - [2007/05/11 01:57:30 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2007/05/11 01:57:26 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/05/11 01:57:24 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/05/11 01:57:24 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/04/16 17:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2006/11/03 18:55:50 | 000,703,280 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/03 18:55:48 | 001,583,920 | ---- | M] (Broadcom Corporation.) -- c:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/11/02 04:45:59 | 000,116,736 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE


========== Modules (SafeList) ==========

MOD - [2011/02/25 21:22:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\____________Bredirect Geeks to go\OTL.exe
MOD - [2006/11/02 04:38:57 | 001,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll
MOD - [2004/08/25 18:23:14 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Script Control\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009/02/26 14:11:41 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/28 10:37:33 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/01/16 11:00:28 | 000,069,632 | ---- | M] (Macromedia) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe -- (Macromedia Licensing Service)
SRV - [2008/01/09 13:47:34 | 000,265,912 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/09 06:20:05 | 001,174,664 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- (Symantec Core LC)
SRV - [2007/08/21 10:33:14 | 002,918,008 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)
SRV - [2007/08/21 10:33:14 | 000,554,616 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2007/08/21 10:32:40 | 000,108,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2007/08/21 10:32:40 | 000,108,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2007/08/21 10:32:40 | 000,108,648 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2007/08/21 10:31:44 | 000,047,712 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe -- (SymAppCore)
SRV - [2007/08/21 10:30:40 | 000,049,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe -- (comHost)
SRV - [2007/08/21 10:29:56 | 000,080,504 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Norton Internet Security\isPwdSvc.exe -- (ISPwdSvc)
SRV - [2007/06/27 05:17:00 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/05/25 12:38:46 | 000,112,176 | ---- | M] (SingleClick Systems) [Auto | Running] -- C:\Program Files\Dell Network Assistant\hnm_svc.exe -- (hnmsvc)


========== Driver Services (SafeList) ==========

DRV - [2008/07/07 11:23:56 | 000,020,480 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NwUsbCdFil.sys -- (NWUSBCDFIL)
DRV - [2008/06/02 15:28:50 | 000,222,720 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2008/05/09 10:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser2.sys -- (NWUSBPort2)
DRV - [2008/05/09 10:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbser.sys -- (NWUSBPort)
DRV - [2008/05/09 10:08:40 | 000,174,336 | ---- | M] (Novatel Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nwusbmdm.sys -- (NWUSBModem)
DRV - [2008/03/27 07:14:08 | 000,116,992 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mr97310c.sys -- (mr97310c)
DRV - [2008/01/09 06:21:26 | 000,115,000 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2007/11/25 02:00:00 | 000,865,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20071125.006\NAVEX15.SYS -- (NAVEX15)
DRV - [2007/11/25 02:00:00 | 000,395,312 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2007/11/25 02:00:00 | 000,081,232 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20071125.006\NAVENG.SYS -- (NAVENG)
DRV - [2007/08/21 10:34:30 | 000,191,544 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2007/08/21 10:34:28 | 000,027,576 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2007/08/21 10:34:14 | 000,276,792 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2007/08/21 10:34:14 | 000,025,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2007/08/21 10:34:12 | 000,247,608 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2007/08/21 10:34:00 | 000,417,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2007/08/21 10:29:48 | 000,212,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\SymcData\idsdefs\20070108.003\IDSvix86.sys -- (IDSvix86)
DRV - [2007/06/27 05:17:04 | 000,326,656 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/05/11 01:57:22 | 000,157,184 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/04/29 01:34:36 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/04/29 01:34:34 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/04/29 01:34:34 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/04/29 00:24:30 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/12/18 20:01:20 | 000,012,672 | ---- | M] (SingleClick Systems) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\packet.sys -- (Packet)
DRV - [2006/11/16 13:36:28 | 000,020,480 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DNISP50.sys -- (DNISp50)
DRV - [2006/11/16 13:36:18 | 000,021,504 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\DNIMP50.sys -- (DNIMp50)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 02:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/01 07:42:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/01 07:42:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/11/01 07:56:49 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/11/01 07:56:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\__\AppData\Roaming\Mozilla\Extensions
[2010/11/01 07:56:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\__\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2008/01/16 11:09:37 | 000,000,000 | ---D | M] (No name found) -- C:\Users\__\AppData\Roaming\Mozilla\Firefox\Profiles\yfgeg5n5.default\extensions
[2011/02/25 08:49:24 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/02 10:54:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/02 10:54:08 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/02/25 10:49:55 | 000,000,734 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBHO.dll (Symantec Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Show Norton Toolbar) - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSC Service Utility] C:\Program Files\Epson-SSC Service Utility\ssc_serv.exe (SSC Localization Group)
O4 - HKCU..\Run: [EPSON Stylus Photo R2400 (Copy 1)] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATI9SA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Users\__\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentProgForNewUserInStartMenu = 1
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} Reg Error: Value error. (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.aka...vex-2.2.1.6.cab (DownloadManager Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4e6ed4a6-724b-11de-a391-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{4e6ed4a6-724b-11de-a391-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\{79debd9a-a6ec-11df-8900-8cca535beeb0}\Shell - "" = AutoRun
O33 - MountPoints2\{79debd9a-a6ec-11df-8900-8cca535beeb0}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{7a460ede-068a-11df-badd-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{7a460ede-068a-11df-badd-001c26f3b730}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{8543c142-9025-11de-9178-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{8543c142-9025-11de-9178-001c26f3b730}\Shell\AutoRun\command - "" = F:\LapNetWizard.exe
O33 - MountPoints2\{a9e36b46-706d-11de-8c4d-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{a9e36b46-706d-11de-8c4d-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\{dd62fda1-7198-11de-abcc-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{dd62fda1-7198-11de-abcc-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\Windows\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/25 21:21:57 | 000,000,000 | ---D | C] -- C:\____________Bredirect Geeks to go
[2011/02/13 10:21:44 | 000,000,000 | ---D | C] -- C:\________________________________zillow
[2011/01/31 11:53:35 | 000,000,000 | ---D | C] -- C:\LIH Guide 2011

========== Files - Modified Within 30 Days ==========

[2011/02/25 21:31:01 | 011,350,468 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/02/25 21:31:01 | 003,983,608 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/02/25 21:27:06 | 000,000,114 | ---- | M] () -- C:\Users\__\Desktop\geeksToGo.url
[2011/02/25 21:24:37 | 000,000,458 | ---- | M] () -- C:\Windows\tasks\SDMsgUpdate (TE).job
[2011/02/25 21:23:53 | 000,003,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/25 21:23:53 | 000,003,456 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/25 21:23:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/25 21:23:32 | 3747,807,232 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/25 21:23:31 | 260,009,053 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/02/25 19:00:12 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/02/25 08:23:41 | 000,000,205 | ---- | M] () -- C:\Users\__\Application Data\Microsoft\Internet Explorer\Quick Launch\New Internet Shortcut.url
[2011/02/15 16:13:37 | 000,000,123 | ---- | M] () -- C:\Users\__\Application Data\Microsoft\Internet Explorer\Quick Launch\HHS.com.url
[2011/02/15 15:39:38 | 000,000,123 | ---- | M] () -- C:\Users\__\Desktop\HHS.com.url
[2011/02/14 14:16:18 | 000,000,111 | ---- | M] () -- C:\Users\__\Desktop\Zillow qw12 accabonac.url
[2011/02/12 09:02:38 | 000,000,119 | ---- | M] () -- C:\Users\__\Desktop\New Internet Shortcut.url

========== Files Created - No Company Name ==========

[2011/02/25 21:26:22 | 000,000,114 | ---- | C] () -- C:\Users\__\Desktop\geeksToGo.url
[2011/02/15 16:13:37 | 000,000,123 | ---- | C] () -- C:\Users\__\Application Data\Microsoft\Internet Explorer\Quick Launch\HHS.com.url
[2011/02/15 15:39:17 | 000,000,123 | ---- | C] () -- C:\Users\__\Desktop\HHS.com.url
[2011/02/14 14:15:40 | 000,000,111 | ---- | C] () -- C:\Users\__\Desktop\Zillow qw12 accabonac.url
[2011/02/12 09:02:43 | 000,000,205 | ---- | C] () -- C:\Users\__\Application Data\Microsoft\Internet Explorer\Quick Launch\New Internet Shortcut.url
[2011/02/12 09:02:22 | 000,000,119 | ---- | C] () -- C:\Users\__\Desktop\New Internet Shortcut.url
[2010/12/04 08:42:42 | 000,020,000 | -H-- | C] () -- C:\ProgramData\T09F8
[2009/09/28 09:16:10 | 000,000,236 | ---- | C] () -- C:\Users\__\AppData\Roaming\wklnhst.dat
[2009/09/02 08:10:10 | 000,000,037 | ---- | C] () -- C:\Windows\marscam.ini
[2008/10/25 06:56:06 | 000,024,206 | ---- | C] () -- C:\Users\__\AppData\Roaming\UserTile.png
[2008/10/07 10:40:24 | 000,000,195 | ---- | C] () -- C:\Windows\cdplayer.ini
[2008/05/16 10:58:04 | 000,012,632 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2008/01/16 11:57:41 | 000,000,268 | R--- | C] () -- C:\ProgramData\Pipe Organ
[2008/01/16 11:57:41 | 000,000,268 | R--- | C] () -- C:\Users\__\AppData\Roaming\Piano Hard
[2008/01/16 11:57:41 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLdw.DAT
[2008/01/16 11:57:41 | 000,000,012 | R--- | C] () -- C:\ProgramData\Pop Kit
[2008/01/16 11:29:48 | 000,042,483 | ---- | C] () -- C:\Windows\ICCCODES.DAT
[2008/01/16 11:29:48 | 000,039,095 | ---- | C] () -- C:\Windows\Iccsigs.dat
[2008/01/16 11:29:48 | 000,000,156 | ---- | C] () -- C:\Windows\KPCMS.INI
[2008/01/16 11:29:37 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2008/01/16 11:09:38 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008/01/15 15:27:36 | 000,016,384 | ---- | C] () -- C:\Windows\System32\FileOps.exe
[2008/01/15 12:09:49 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/01/15 12:08:12 | 000,090,112 | ---- | C] () -- C:\Users\__\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/01/15 10:52:41 | 000,006,324 | ---- | C] () -- C:\Users\__\AppData\Local\d3d9caps.dat
[2008/01/09 13:56:34 | 000,910,304 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008/01/09 13:56:34 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2008/01/09 13:56:34 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1272.dll
[2008/01/09 13:56:27 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/01/09 13:45:53 | 000,013,576 | ---- | C] () -- C:\Windows\System32\syscorecfg256.dll
[2008/01/09 06:24:25 | 000,000,859 | ---- | C] () -- C:\Windows\{0240BDFB-2995-4A3F-8C96-18D41282B716}_WiseFW.ini
[2008/01/09 06:12:07 | 000,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2008/01/09 06:12:07 | 000,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2008/01/09 06:03:27 | 000,000,012 | ---- | C] () -- C:\Windows\bthservsdp.dat
[2006/11/09 23:45:20 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/03 18:25:56 | 000,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 07:56:48 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:43 | 001,492,512 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:36:36 | 000,063,488 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2006/11/02 05:33:01 | 011,336,876 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 003,978,614 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/02 02:22:43 | 000,099,999 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2006/11/02 02:22:43 | 000,018,271 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2002/06/02 14:05:00 | 000,038,912 | ---- | C] () -- C:\Windows\System32\XD_Strt.dll
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[2001/10/12 10:58:20 | 000,028,672 | ---- | C] () -- C:\Windows\System32\mr310exd.dll
[2001/10/12 10:57:18 | 000,036,864 | ---- | C] () -- C:\Windows\System32\mr310exv.dll
[2000/12/07 10:13:58 | 000,015,164 | ---- | C] () -- C:\Windows\mr310twc.ini
[1999/12/07 00:00:00 | 000,024,976 | ---- | C] () -- C:\Windows\twain_16.dll
[1999/01/22 21:46:58 | 000,065,536 | ---- | C] () -- C:\Windows\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/10/13 09:02:24 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Axon2009
[2010/09/29 07:56:53 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2009/12/31 09:00:30 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\e-Campaign
[2008/09/08 08:57:17 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\GlobalSCAPE
[2009/02/14 15:50:22 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Goodsol
[2010/12/04 08:50:53 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Lasersoft Imaging
[2010/02/25 15:00:53 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Nikon
[2008/07/13 17:50:32 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\NwDocx
[2008/10/25 06:56:06 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\PeerNetworking
[2009/07/18 16:59:06 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\SmartDraw
[2009/09/28 09:16:16 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Template
[2010/11/01 07:56:49 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Thunderbird
[2008/04/09 18:44:03 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\vusbsp
[2010/10/25 10:04:38 | 000,000,000 | ---D | M] -- C:\Users\__\AppData\Roaming\Western Digital
[2011/02/25 19:00:12 | 000,032,548 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/02/25 21:24:37 | 000,000,458 | ---- | M] () -- C:\Windows\Tasks\SDMsgUpdate (TE).job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:62E2D794

< End of report >

-----END of OTL Log-------------------------------------------------------------------------------

Edited by tom96, 26 February 2011 - 12:40 PM.

  • 0

Advertisements

#2
RPMcMurphy
Posted 26 February 2011 - 12:56 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Hello tom96 and welcome to Geeks to Go! Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Any light blue colored text in my posts indicates a clickable link.
  • If you have any questions at all, please stop and ask before proceeding.
Posted Image Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:
  • Make sure that your security software is disabled
  • Uncheck the box next to "Files" this time also
  • If you still can't run it, try in the Safe Mode
Please include the following in your next post:
  • GMER log
  • The Extras.txt log from OTL

  • 0

#3
tom96
Posted 26 February 2011 - 01:39 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you for responding to my request for help.

I clicked on the link you provided for the GMER Rootkit Scanner but it seems odd. I'd like to confirm the file name that I will be downloading and running. When I clicked on the link two separate download windows opened each with a different file name. In fact every time I click on the link a different .exe file is ready to download. The link goes to the URL www2.gmer.net not the www.gmer.net that is shown when I rollover the link. With the virus I am suspect of everything the computer does. Please confirm the file name and the url I will be downloading from.

Thank you

Tom

Edited by tom96, 26 February 2011 - 01:41 PM.

  • 0

#4
RPMcMurphy
Posted 26 February 2011 - 01:45 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
That is expceted behavior, Tom. It's going to download a randomly named .exe, so the malware has less of a chance of interfering with it.
  • 0

#5
tom96
Posted 26 February 2011 - 02:49 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RPMurphy,
The GMER Rootkit Scanner results log is pasted below as is the OTL Extras log file. The GMER.txt log file is also attached to this post and the OTL Extras.txt is attahced to the next post in case they are easier to read with a text reader.
Tom



------BEGIN OTL Extras---------------------------------------------------------------------------
OTL Extras logfile created on: 2/25/2011 9:29:03 PM - Run 1
OTL by OldTimer - Version 3.2.22.0 Folder = C:\____________Bredirect Geeks to go
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16764)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 70.00% Memory free
7.00 Gb Paging File | 6.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 107.21 Gb Total Space | 7.11 Gb Free Space | 6.63% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.40 Gb Free Space | 70.09% Space Free | Partition Type: NTFS

Computer Name: __LAPTOP | User Name: __ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\PROGRA~1\COFFEE~1\coffee.exe" "%1" (CoffeeCup Software)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [ACDBrowse] -- C:\Program Files\ACDSee32\ACDSee32.exe "%1" (ACD Systems, Ltd.)
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Shred With Tracks Eraser Pro] -- C:\Program Files\Acesoft\Tracks Eraser Pro\fileshred.exe %1 (Acesoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"坫￾坕￾垪￾°曙" = Reg Error: Value error. -- File not found

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0AC631BB-B6BC-4D8D-B6EB-1E025713047D}" = lport=10426 | protocol=17 | dir=in | name=singleclick icc |
"{18700893-F022-46C0-A436-E5DF455E0270}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=file and printer sharing (spooler service - rpc-epmap) |
"{260B1B0D-CB95-44A6-B1B8-7A77DE94EF91}" = rport=445 | protocol=6 | dir=out | app=system |
"{40A1CE58-5A0B-4D65-82B8-6A2CBCE39ADC}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{44921124-A901-4DF8-ABBE-5E7AF6A3FAE9}" = rport=139 | protocol=6 | dir=out | app=system |
"{7CB002A2-3652-48D0-B44E-4437B9C52929}" = lport=139 | protocol=6 | dir=in | name=netbios file/printer sharing |
"{9A50C544-8698-4719-B0C4-E195E5DD5D50}" = lport=445 | protocol=6 | dir=in | app=system |
"{9C0DD2B6-021A-4DB8-9C81-2E015A4FDBAF}" = rport=138 | protocol=17 | dir=out | app=system |
"{9FB2BD35-297E-4943-BFBB-CF11253B4730}" = lport=139 | protocol=6 | dir=in | app=system |
"{A6B944F2-AB6C-475C-8A23-6799331AB6D9}" = lport=138 | protocol=17 | dir=in | app=system |
"{AA410503-6EFB-4F95-B1F0-5AA7D3791376}" = lport=138 | protocol=17 | dir=in | name=netbios datagram service |
"{ACB8278F-488A-4EEB-94A9-C5037A9EBDC4}" = lport=10421 | protocol=17 | dir=in | name=singleclick discovery protocol |
"{B1A7C142-4002-4D38-9800-5DDD3302B2AA}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{C487D50D-6C86-43B1-B39C-54D8C0BDB577}" = rport=137 | protocol=17 | dir=out | app=system |
"{C80B6DA3-E4A9-484A-AFD2-7A9A381436E4}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D5FFC997-94E3-4E8E-B0DC-078C7FF7AB04}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{D99C8118-5E95-4121-94BE-B5939441BF4E}" = lport=445 | protocol=6 | dir=in | name=microsoft directory services |
"{DB7529F3-E251-4B54-8CB1-0CD1498BCDF7}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{DD07C7DB-9194-4403-94C1-DE1F3F801CB2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=c:\windows\system32\spoolsv.exe |
"{E3EA48A3-1A3B-4EA5-AFFE-F87ACE3FD6B2}" = lport=137 | protocol=17 | dir=in | name=netbios name service |
"{FEBEC688-1968-4373-AB40-F3D337BF460E}" = lport=137 | protocol=17 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{128FB2E4-CE69-4485-8AAC-FB5F908C4FBE}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"{24C822F2-EE37-499E-983C-329F1399E98C}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{338322B2-9804-4AD7-81DA-3B3B43B83741}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{4C940E1F-358E-4B14-B620-1D3948569788}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{5B00AC96-B1BC-4618-A2C2-422B0CEF4AA8}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{60B975E8-C67F-418E-9F95-C050AAA3EF66}" = protocol=17 | dir=in | app=c:\program files\dell network assistant\ezi_hnm2.exe |
"{6F6E62D5-D3BD-4E00-8BF0-7E64E0B70693}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{73590262-28F2-4D54-8273-568C9D476720}" = dir=in | app=c:\program files\dell\mediadirect\powercinema.exe |
"{79753B85-0AC2-437B-B5B0-ADBAB93EC4CE}" = protocol=58 | dir=out | name=file and printer sharing (echo request - icmpv6-out) |
"{9E6EFC3A-7968-4942-8E61-6A158D73B6D3}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{A1DC6BCF-2DBB-412C-AB51-92B3ECE7284C}" = protocol=6 | dir=in | app=c:\program files\dell network assistant\ezi_hnm2.exe |
"{B52626C3-6A2D-45F7-A327-09ADD8074B16}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dms\clmsservice.exe |
"{BB115B6B-02D8-49B1-A2C3-E639C5E6C63C}" = dir=in | app=c:\program files\dell\mediadirect\kernel\dmp\clbrowserengine.exe |
"{BF9B3B41-9384-47E7-9C10-04A9B8D4BE11}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{E556FC17-E0EE-40AA-BCB9-D68577BAF515}" = protocol=1 | dir=in | name=file and printer sharing (echo request - icmpv4-in) |
"{F1B852FA-B453-4848-942C-D0EF11ACA044}" = protocol=58 | dir=in | name=file and printer sharing (echo request - icmpv6-in) |
"{F9807352-710A-40FB-A3F0-C23594476EFD}" = protocol=1 | dir=out | name=file and printer sharing (echo request - icmpv4-out) |
"TCP Query User{1CC7253D-C200-4EF8-9489-B57D8EA455FE}C:\users\__\appdata\roaming\vusbsp\vonagetalkusb.exe" = protocol=6 | dir=in | app=c:\users\__\appdata\roaming\vusbsp\vonagetalkusb.exe |
"TCP Query User{299A9DF4-B020-4B8E-B172-169239A0833E}C:\program files\real\realplayer\realplay.exe" = protocol=6 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"TCP Query User{49E7E713-FF20-4182-AA06-1AED5F813776}C:\program files\macromedia\dreamweaver mx 2004\dreamweaver.exe" = protocol=6 | dir=in | app=c:\program files\macromedia\dreamweaver mx 2004\dreamweaver.exe |
"TCP Query User{555A2D2D-EA32-4CB2-9465-A54218D04F41}C:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe" = protocol=6 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe |
"TCP Query User{5925C103-B9F5-4865-B668-2DBA4E11F100}C:\program files\speeddial\speeddial.exe" = protocol=6 | dir=in | app=c:\program files\speeddial\speeddial.exe |
"TCP Query User{65347675-9F77-4A2E-B823-4D24E700D14E}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe" = protocol=6 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe |
"TCP Query User{8D12C5A3-B149-411B-80A2-C8F456D6645A}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{A4A73954-FB46-4A00-BBFD-20084AC14178}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe" = protocol=6 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe |
"TCP Query User{BBD16765-E990-4E91-B644-FF10A0194594}C:\users\__\appdata\local\temp\vusbsp\vonagetalkusb.exe" = protocol=6 | dir=in | app=c:\users\__\appdata\local\temp\vusbsp\vonagetalkusb.exe |
"TCP Query User{C006A642-49D0-4390-BA02-B53618551324}F:\lapnetwizard.exe" = protocol=6 | dir=in | app=f:\lapnetwizard.exe |
"TCP Query User{CBC979F3-BDD3-409E-B197-3161AAA77D27}C:\program files\dell network assistant\ezi_hnm2.exe" = protocol=6 | dir=in | app=c:\program files\dell network assistant\ezi_hnm2.exe |
"UDP Query User{2762EE66-7CB1-4879-A458-B349B7CE400E}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{29561149-155D-4981-BABE-860AF81D7F94}C:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe" = protocol=17 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs5\dreamweaver.exe |
"UDP Query User{45942FD7-5A21-4C47-898D-515995598CDB}C:\program files\macromedia\dreamweaver mx 2004\dreamweaver.exe" = protocol=17 | dir=in | app=c:\program files\macromedia\dreamweaver mx 2004\dreamweaver.exe |
"UDP Query User{97C3AF95-0DB4-4294-B03E-C136F8C7F887}C:\program files\dell network assistant\ezi_hnm2.exe" = protocol=17 | dir=in | app=c:\program files\dell network assistant\ezi_hnm2.exe |
"UDP Query User{9B1E6FB8-7E20-4C16-9687-E79CF978841A}C:\users\__\appdata\roaming\vusbsp\vonagetalkusb.exe" = protocol=17 | dir=in | app=c:\users\__\appdata\roaming\vusbsp\vonagetalkusb.exe |
"UDP Query User{C7ACEE21-E513-4C27-9FF6-2FF37070ABD6}C:\program files\speeddial\speeddial.exe" = protocol=17 | dir=in | app=c:\program files\speeddial\speeddial.exe |
"UDP Query User{D3C109B5-7435-4536-8C15-7232F561EEFF}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe" = protocol=17 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe |
"UDP Query User{E3FD27D2-354B-4CB4-BA4A-E10D87C6D10E}C:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe" = protocol=17 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe |
"UDP Query User{F4502DD1-B793-4550-AABE-27C106642663}F:\lapnetwizard.exe" = protocol=17 | dir=in | app=f:\lapnetwizard.exe |
"UDP Query User{F5DAC6CE-6E6A-454C-A518-47443517B725}C:\program files\real\realplayer\realplay.exe" = protocol=17 | dir=in | app=c:\program files\real\realplayer\realplay.exe |
"UDP Query User{FDEE0DF3-8C74-4489-A7C1-0E17A851D160}C:\users\__\appdata\local\temp\vusbsp\vonagetalkusb.exe" = protocol=17 | dir=in | app=c:\users\__\appdata\local\temp\vusbsp\vonagetalkusb.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{0240BDFB-2995-4A3F-8C96-18D41282B716}" = Dell Network Assistant
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}" = Macromedia Dreamweaver MX 2004
"{0650BB10-BCF4-400A-85EE-04097E3046C6}" = Adobe Setup
"{079A8942-8B6B-41AC-842B-B83B81312D04}" = BestAddress HTML Editor 2009 Professional
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0C432DEB-FBF2-A5E0-FDB7-4B39F7FAF0D4}" = Adobe Community Help
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{0FC4511A-8A41-4969-A123-A2ACEF247886}" = FileMaker Developer 7
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14AFE241-FC6E-4FDB-BCA0-7AD6F4974171}" = Adobe Setup
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}" = SymNet
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{2F353D44-73BB-4971-B31D-F7642E9E9531}" = Macromedia Flash MX 2004
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{388887F6-0661-4C80-B272-A6A23EFC7A31}" = MY CAMERA
"{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}" = ccCommon
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{412033BC-44CF-48D9-B813-4B835101F4D3}" = Adobe Illustrator 10
"{48185814-A224-447A-81DA-71BD20580E1B}" = Norton Internet Security
"{4843B611-8FCB-4428-8C23-31D0A5EAE164}" = Norton Confidential Browser Component
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security
"{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}" = Snagit 10
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{68CC54AC-EFE5-4CE4-81F8-BE0C834E2D86}" = Mobile Broadband Generic Drivers
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{77772678-817F-4401-9301-ED1D01A8DA56}" = SPBBC 32bit
"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{830C86BE-8F83-ED88-2635-C12C28951F58}" = MyFonts Order M1404883
"{830D8CBD-C668-49e2-A969-C2C2106332E0}" = Norton AntiVirus
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{86A5D474-4E02-497E-BB03-C4E2D4236E48}" = FileMaker Pro 8.5 Advanced
"{87441A59-5E64-4096-A170-14EFE67200C3}" = Picture Control Utility
"{8B5DA7DA-1ABD-458B-A810-C5E5E54B4AA7}" = GigaPan 1.0.0805
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{939740B5-0064-4779-854A-8C1086181C05}" = Macromedia FreeHand MXa
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}" = Norton Protection Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3276CB1-20B6-4AF9-AAEC-E72C83816495}" = IKEA Home Planner
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B7C61755-DB48-4003-948F-3D34DB8EAF69}" = MSRedist
"{B8971880-0060-11D8-87CB-C2A1A3E71907}_is1" = Index.dat Suite
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C79312BD-3E76-4474-A10C-1435D1856A4B}" = Adobe Dreamweaver CS5
"{C99C0593-3B48-41D9-B42F-6E035B320449}" = Broadcom Management Programs
"{D0A8551D-30B5-41FD-8842-8DC82C4E4BEC}" = ModelRight 3 Community Edition
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D353CC51-430D-4C6F-9B7E-52003DA1E05A}" = Norton Confidential Web Protection Component
"{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}" = Symantec Real Time Storage Protection Component
"{D7BF3B76-EEF9-4868-9B2B-42ABF60B279A}" = Microsoft_VC80_CRT_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DA0BF7AB-88EB-4675-8FA1-531EAD938821}" = SnagIt 8
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}" = Norton Internet Security
"{E583ED6F-BD99-4066-A420-C815BF692B69}" = Macromedia Fireworks MX 2004
"{E5EE9939-259F-4DE2-8023-5C49E16A4F43}" = Norton Internet Security
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED5761A3-C109-4E0E-8241-19DB67E66BED}" = CuteFTP 8 Lite
"{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}" = AppCore
"{F007CBCE-D714-4C0B-8CE9-9B0D78116468}" = ViewNX
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F4DB525F-A986-4249-B98B-42A8066251CA}" = AV
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"ACDSee Classic" = ACDSee Classic
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings
"Adobe_7328fdfcb73660ec8b11d5a3d5c6232" = Adobe Dreamweaver CS3
"Adobe_acce07fd2c8fe7f9e3f26243e626578" = Adobe Dreamweaver CS4
"Axon2009" = Axon2009
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"CoffeeCup HTML Editor 2008" = CoffeeCup HTML Editor 2008
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"e-Campaign 6" = e-Campaign 6
"EPSON Printer and Utilities" = EPSON Printer Software
"IrfanView" = IrfanView (remove only)
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Merriam-Webster's Reference Library" = Merriam-Webster's Reference Library
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Mozilla Thunderbird (3.1.6)" = Mozilla Thunderbird (3.1.6)
"MRU-Blaster_is1" = MRU-Blaster v1.5 (Database 3/28/2004)
"PhotomatixPro3_is1" = Photomatix Pro version 3.0.3RC2
"PHPMaker 5.0.2" = PHPMaker 5.0.2
"Pretty Good Solitaire_is1" = Pretty Good Solitaire version 12.0.1
"RealPlayer 6.0" = RealPlayer
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SilverFast Epson_is1" = SilverFast Epson
"SSC Service Utility_is1" = SSC Service Utility v4.30
"ST6UNST #1" = Simply Contacts Database
"SymSetup.{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}" = Norton Internet Security (Symantec Corporation)
"Tracks Eraser Pro_is1" = Tracks Eraser Pro v8.3 build 1000

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"SmartDraw 2009" = SmartDraw 2009

========== Last 10 Event Log Errors ==========

Error: Unable to start EventLog service!

< End of report >

-------END OTL Extras------------------------------------------------------------------------------------------


-------BEGIN GMER log file-------------------------------------------------------------------------------------
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-26 15:38:22
Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST912082 rev.3.CD
Running: j35pm92x.exe; Driver: C:\Users\__\AppData\Local\Temp\pgdiypow.sys


---- System - GMER 1.0.15 ----

SSDT 8730B320 ZwConnectPort

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 77C1FD74 5 Bytes JMP 0013000A
.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 77C206F4 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[1108] ntdll.dll!KiUserExceptionDispatcher 77C20E88 5 Bytes JMP 0012000A
.text C:\Windows\system32\svchost.exe[1108] ole32.dll!CoCreateInstance 77ACDD8F 5 Bytes JMP 00D7000A
.text C:\Windows\system32\svchost.exe[1108] USER32.dll!WindowFromPoint 76A8C98E 5 Bytes JMP 00F9000A
.text C:\Windows\system32\svchost.exe[1108] USER32.dll!GetForegroundWindow 76A99666 5 Bytes JMP 00FA000A
.text C:\Windows\system32\svchost.exe[1108] USER32.dll!GetCursorPos 76A9C664 5 Bytes JMP 00F8000A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1604] USER32.dll!TrackPopupMenu 76AACFF8 5 Bytes JMP 6ED65CF5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\Explorer.EXE[2068] ntdll.dll!NtProtectVirtualMemory 77C1FD74 5 Bytes JMP 00EF000A
.text C:\Windows\Explorer.EXE[2068] ntdll.dll!NtWriteVirtualMemory 77C206F4 5 Bytes JMP 00F0000A
.text C:\Windows\Explorer.EXE[2068] ntdll.dll!KiUserExceptionDispatcher 77C20E88 5 Bytes JMP 00EE000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3796] ntdll.dll!NtProtectVirtualMemory 77C1FD74 5 Bytes JMP 00F8000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3796] ntdll.dll!NtWriteVirtualMemory 77C206F4 5 Bytes JMP 00F9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3796] ntdll.dll!KiUserExceptionDispatcher 77C20E88 5 Bytes JMP 00A8000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\BTHUSB \Device\00000088 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\BTHUSB \Device\0000008a bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9120822AS_____________________________3.CDD___#4&1a4b0a3c&1&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001c26f3b730
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001c26f3b730 (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"\ProxyStubClsid
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"\ProxyStubClsid@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"\ProxyStubClsid32
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"\ProxyStubClsid32@ {00020424-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{9B0353AA-0E52-44FF-"\TypeLib

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 234441392 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


-------END GMER log file---------------------------------------------------------------------------------------------
  • 0

#6
tom96
Posted 26 February 2011 - 02:50 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
The OTL extras.txt file is attached

Tom
  • 0

#7
RPMcMurphy
Posted 26 February 2011 - 03:39 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :OTL
O33 - MountPoints2\{4e6ed4a6-724b-11de-a391-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{4e6ed4a6-724b-11de-a391-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\{79debd9a-a6ec-11df-8900-8cca535beeb0}\Shell - "" = AutoRun
O33 - MountPoints2\{79debd9a-a6ec-11df-8900-8cca535beeb0}\Shell\AutoRun\command - "" = "G:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{7a460ede-068a-11df-badd-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{7a460ede-068a-11df-badd-001c26f3b730}\Shell\AutoRun\command - "" = "F:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{8543c142-9025-11de-9178-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{8543c142-9025-11de-9178-001c26f3b730}\Shell\AutoRun\command - "" = F:\LapNetWizard.exe
O33 - MountPoints2\{a9e36b46-706d-11de-8c4d-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{a9e36b46-706d-11de-8c4d-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
O33 - MountPoints2\{dd62fda1-7198-11de-abcc-001c26f3b730}\Shell - "" = AutoRun
O33 - MountPoints2\{dd62fda1-7198-11de-abcc-001c26f3b730}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect
:Commands
[EmptyFlash]
[EmptyTemp]
[Purity]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • OTL Fix log
  • ComboFix log

  • 0

#8
tom96
Posted 26 February 2011 - 05:43 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
hi RPMcMurphy,
I had a problem with ComboFix. I downloaded ComboFix to the desktop and ran it from the desktop. All other programs were closed. ComboFix was run as administrator. When ComboFix was loading I received the blue screen and the computer shut down. I've been getting the blue screen lately and was not sure it was related to the ComboFix Loading. I checked to be sure anti-virus software was off and ran ComboFix again and I got the blue screen again. The blue screen appeared as ComboFix was loading, not running. The computer shut down rather quickly so I could not read everything on the screen. iastor.sys was mentioned if that is any clue.
Tom
  • 0

#9
RPMcMurphy
Posted 26 February 2011 - 09:32 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Posted Image Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
Please include the following in your next post:
  • MBRCheck log

  • 0

#10
tom96
Posted 27 February 2011 - 07:53 AM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Results of the MBR check:----------------------------------------------------------------------------------


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Business Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Vostro 1400
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 166):
0x82000000 \SystemRoot\system32\ntkrnlpa.exe
0x823A1000 \SystemRoot\system32\hal.dll
0x86C85000 \SystemRoot\system32\kdcom.dll
0x8026B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80262000 \SystemRoot\system32\PSHED.dll
0x8025A000 \SystemRoot\system32\BOOTVID.dll
0x8021F000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x804A4000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80212000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80461000 \SystemRoot\system32\drivers\acpi.sys
0x80209000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80201000 \SystemRoot\system32\drivers\msisadrv.sys
0x8043C000 \SystemRoot\system32\drivers\pci.sys
0x8042D000 \SystemRoot\system32\drivers\volmgr.sys
0x8042A000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80420000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80410000 \SystemRoot\System32\drivers\mountmgr.sys
0x80409000 \SystemRoot\system32\DRIVERS\intelide.sys
0x807F2000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x80402000 \SystemRoot\system32\drivers\pciide.sys
0x807A8000 \SystemRoot\System32\drivers\volmgrx.sys
0x80708000 \SystemRoot\system32\drivers\iastorv.sys
0x8064A000 \SystemRoot\system32\drivers\iastor.sys
0x80642000 \SystemRoot\system32\drivers\atapi.sys
0x80624000 \SystemRoot\system32\drivers\ataport.SYS
0x81FCF000 \SystemRoot\system32\drivers\fltmgr.sys
0x80614000 \SystemRoot\system32\drivers\fileinfo.sys
0x81ECB000 \SystemRoot\system32\drivers\ndis.sys
0x81EA0000 \SystemRoot\system32\drivers\msrpc.sys
0x81E67000 \SystemRoot\system32\drivers\NETIO.SYS
0x824F8000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8248E000 \SystemRoot\System32\Drivers\ksecdd.sys
0x81E31000 \SystemRoot\system32\drivers\volsnap.sys
0x8060C000 \SystemRoot\System32\Drivers\spldr.sys
0x81E22000 \SystemRoot\System32\drivers\partmgr.sys
0x81E13000 \SystemRoot\System32\Drivers\mup.sys
0x82469000 \SystemRoot\System32\drivers\ecache.sys
0x81E02000 \SystemRoot\system32\drivers\disk.sys
0x82448000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80603000 \SystemRoot\system32\drivers\crcdisk.sys
0x8EAD4000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8E6E2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8EA96000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8F019000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8EF7A000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E600000 \SystemRoot\System32\drivers\watchdog.sys
0x8EA1B000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8EEED000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8EA0D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EEDB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8EE55000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
0x8EE26000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
0x8C360000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8EA88000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8EE0E000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8EE00000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0x8F7EC000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x8F79B000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0x8F788000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8F75C000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x8EA02000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F751000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F739000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C24A000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8E6FD000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8F70E000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8F6CE000 \SystemRoot\system32\DRIVERS\storport.sys
0x8F6C3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8F6AC000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F6A1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F67E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x82698000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8F62B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8FB79000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8F61C000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E77A000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8FB4F000 \SystemRoot\system32\DRIVERS\ks.sys
0x8FB14000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0x8F612000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E61A000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8FAE0000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x82680000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8FA8D000 \SystemRoot\system32\drivers\stwrt.sys
0x8FA60000 \SystemRoot\system32\drivers\portcls.sys
0x8FA3B000 \SystemRoot\system32\drivers\drmk.sys
0x8FDC3000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8FCC0000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8FC0C000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8E627000 \SystemRoot\system32\drivers\modem.sys
0x8E70F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8EA5E000 \SystemRoot\System32\Drivers\Null.SYS
0x8EA65000 \SystemRoot\System32\Drivers\Beep.SYS
0x8EA6C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8FA2F000 \SystemRoot\System32\drivers\vga.sys
0x8FA0E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E780000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8E788000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8FA03000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8FFD2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E721000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8FF00000 \SystemRoot\System32\drivers\tcpip.sys
0x8FEE7000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8FED2000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FEA4000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x8FE41000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x8FE2D000 \SystemRoot\system32\DRIVERS\smb.sys
0x901B9000 \SystemRoot\system32\drivers\afd.sys
0x90187000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8FE17000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FE09000 \SystemRoot\system32\DRIVERS\netbios.sys
0x90174000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x90163000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x90128000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FC02000 \SystemRoot\system32\drivers\nsiproxy.sys
0x900C5000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x90072000 \SystemRoot\system32\drivers\csc.sys
0x9005B000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E634000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8EB42000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x95513000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8E760000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x954EB000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8E718000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8C380000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E7D8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x96600000 \SystemRoot\System32\win32k.sys
0x90001000 \SystemRoot\System32\drivers\Dxapi.sys
0x954DF000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x954A5000 \SystemRoot\System32\Drivers\bthport.sys
0x95494000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x9548A000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x95470000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x9559A000 \SystemRoot\system32\drivers\btwavdt.sys
0x96985000 \SystemRoot\system32\drivers\btwaudio.sys
0x8EAB3000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x8E72A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x95452000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA6C00000 \SystemRoot\System32\TSDDD.dll
0xA6C10000 \SystemRoot\System32\cdd.dll
0xA6C20000 \SystemRoot\System32\ATMFD.DLL
0xA89A5000 \SystemRoot\system32\drivers\luafv.sys
0xA90B2000 \SystemRoot\system32\drivers\spsys.sys
0xAA3C0000 \SystemRoot\system32\DRIVERS\packet.sys
0x8C310000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xAA395000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xA8937000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA905F000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAAC4F000 \SystemRoot\system32\drivers\HTTP.sys
0xAC725000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA201000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAC711000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAC6B1000 \SystemRoot\system32\drivers\mrxdav.sys
0xAC693000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAC65A000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAC648000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAC624000 \SystemRoot\System32\DRIVERS\srv2.sys
0xADB74000 \SystemRoot\System32\DRIVERS\srv.sys
0xB0DE8000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB0CE2000 \SystemRoot\system32\drivers\peauth.sys
0xA8987000 \SystemRoot\System32\Drivers\secdrv.SYS
0x8EB09000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xAA27D000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA7906000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xA7C46000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77140000 \Windows\System32\ntdll.dll

Processes (total 62):
0 System Idle Process
4 System
412 C:\Windows\System32\smss.exe
488 csrss.exe
540 C:\Windows\System32\wininit.exe
548 csrss.exe
588 C:\Windows\System32\services.exe
600 C:\Windows\System32\lsass.exe
608 C:\Windows\System32\lsm.exe
632 C:\Windows\System32\winlogon.exe
784 C:\Windows\System32\svchost.exe
844 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
964 C:\Windows\System32\svchost.exe
1028 C:\Windows\System32\svchost.exe
1104 C:\Windows\System32\audiodg.exe
1148 C:\Windows\System32\SLsvc.exe
1244 C:\Windows\System32\svchost.exe
1412 C:\Windows\System32\svchost.exe
1532 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1608 C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
1640 C:\Windows\System32\WLTRYSVC.EXE
1652 C:\Windows\System32\BCMWLTRY.EXE
1820 C:\Windows\System32\svchost.exe
1964 C:\Windows\System32\dwm.exe
1996 C:\Windows\System32\taskeng.exe
132 C:\Windows\explorer.exe
228 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
2188 C:\Program Files\Bonjour\mDNSResponder.exe
2212 C:\Windows\System32\svchost.exe
2260 C:\Program Files\DellTPad\Apoint.exe
2268 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2280 C:\Windows\System32\WLTRAY.EXE
2288 C:\Program Files\Dell\MediaDirect\PCMService.exe
2308 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
2332 C:\Program Files\QuickTime\QTTask.exe
2392 C:\Windows\System32\hkcmd.exe
2400 C:\Windows\System32\igfxpers.exe
2412 C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
2420 C:\Program Files\Epson-SSC Service Utility\ssc_serv.exe
2428 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2452 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
2468 C:\Program Files\Digital Line Detect\DLG.exe
2520 C:\Program Files\DellTPad\ApMsgFwd.exe
2560 C:\Program Files\Dell Network Assistant\hnm_svc.exe
2744 C:\Program Files\DellTPad\hidfind.exe
2776 C:\Windows\System32\svchost.exe
2848 C:\Windows\System32\stacsv.exe
2876 C:\Program Files\DellTPad\ApntEx.exe
2908 C:\Windows\System32\igfxsrvc.exe
3236 C:\Windows\System32\svchost.exe
3316 C:\Windows\System32\svchost.exe
3364 C:\Windows\System32\SearchIndexer.exe
3396 C:\Windows\System32\drivers\XAudio.exe
3560 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
2636 C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
1272 C:\Windows\System32\spoolsv.exe
432 C:\Program Files\Windows Mail\WinMail.exe
780 C:\Program Files\Mozilla Firefox\firefox.exe
3816 WmiPrvSE.exe
1140 C:\Windows\System32\wbem\WMIADAP.exe
3248 C:\Users\__\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`84f00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`04f00000 (NTFS)

PhysicalDrive0 Model Number: ST9120822AS, Rev: 3.CDD

Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!
  • 0

Advertisements

#11
RPMcMurphy
Posted 27 February 2011 - 10:20 AM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Please boot into the safe mode and try running ComboFix from there.

Please include the following in your next post:
  • ComboFix log

  • 0

#12
tom96
Posted 27 February 2011 - 12:28 PM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
RPMcMurphy,
ComboFix did not run in Safe Mode. The system crashed while ComboFix was loading, not running. I received the blue screen. The following is the information from the recovery after startup.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.2.0.0.256.6
Locale ID: 1033

Additional information about the problem:
BCCode: 1000008e
BCP1: C0000005
BCP2: 00000001
BCP3: 97B7F9F0
BCP4: 00000000
OS Version: 6_0_6000
Service Pack: 0_0
Product: 256_1

Files that help describe the problem:
C:\Windows\Minidump\Mini022711-02.dmp
C:\Users\__\AppData\Local\Temp\WER-53383-0.sysdata.xml
C:\Users\__\AppData\Local\Temp\WER1F81.tmp.version.txt

Read our privacy statement:
http://go.microsoft....63&clcid=0x0409
  • 0

#13
RPMcMurphy
Posted 27 February 2011 - 08:02 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Hi Tom,

Please try running TDSSKiller from the Safe Mode. Here are the instructions if you need them:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

  • 0

#14
tom96
Posted 28 February 2011 - 11:01 AM

tom96

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi RPMcMurphy,

TDSSKiller would not load in safe mode. I received the windows error message "TDSS rootkit removing tool has stopped working". The Problem Details are below:

Problem signature:
Problem Event Name: BEX
Application Name: TDSSKiller.exe
Application Version: 2.4.18.0
Application Timestamp: 4d621d9c
Fault Module Name: TDSSKiller.exe
Fault Module Version: 2.4.18.0
Fault Module Timestamp: 4d621d9c
Exception Offset: 00055e49
Exception Code: c0000409
Exception Data: 00000000
OS Version: 6.0.6000.2.0.0.256.6
Locale ID: 1033
Additional Information 1: ce8c
Additional Information 2: dc9a101f8fcc6675f457071cf59eed65
Additional Information 3: e300
Additional Information 4: 486a5f8bfc817dae7554e7633eb8d941

Tom
  • 0

#15
RPMcMurphy
Posted 01 March 2011 - 02:24 PM

RPMcMurphy

    Trusted Helper

  • Malware Removal
  • 930 posts
Tom:

Sorry for the delay, please do this next:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif[*]Disable any script blocking protection (How to Disable your Security Programs)
[*]Double click DDS icon to run the tool (may take up to 3 minutes to run)
[*]When done, DDS.txt will open.
[*]After a few moments, attach.txt will open in a second window.
[*]Save both reports to your desktop.
[/list]---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Please include the following in your next post:
  • MBAM log
  • DDS.txt and Attach.txt logs

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP