Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Persistent Redirects - TDSS, ComboFix & OTM failed


  • This topic is locked This topic is locked

#1
Jeff_F

Jeff_F

    Member

  • Member
  • PipPip
  • 27 posts
Greetings!
System:

Quad core Q6600
2.4Ghz @ Gb RAM
Wacom CTE-440 Tablet
Windows XP SP2

I am experiencing vexing redirects from search page results. On the 2nd attempt to follow a link (after closing suspicious redirects to bogus search pages or non-loading pages) I can load the real page, and my bookmarks lead directly to correct pages. I am guessing that my MVPS HOSTS file is stopping some of the redirects.

Spysweeper found several items as did Zonealarm. I was unable to update Spy Sweeper, although Zonealarm's Kaspersky Anti Virus engine appeared to update sucessfully. After searching online, I downloaded TDSS and ran it, then Combofix (renamed CbFx.exe so it would run) and I was then able to update Spy Sweeper, although neither it nor ZoneAlarm have eliminated the problem after additional scans.

When running ComboFix it noted that ZoneAlarm was still running, even though I had shut it down, as well as SpySweeper. I shut down WRConsumerService.exe in Task Manager, but was unable to kill SpySweeper.exe. I noticed that Wallmaster stopped loading at startup, although I assume that this happened with the recovery during ComboFix's efforts.

I also updated CCleaner and let it have a go. I have run OTM and Gooredfix and have run TDSS several more times. TDSS appears to find malware each time and has rebooted my machine after seeing "rootkit activity", but the redirect problem persists.

I was unable to start Superantispyware, the free version which I used for backup scanning - not running resident. I also downloaded Malwarebytes AM, but it also refuses to start.

I have now run OTL, log follows:


OTL logfile created on: 4/8/2011 2:16:48 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.00 Gb Total Space | 24.17 Gb Free Space | 40.28% Space Free | Partition Type: NTFS
Drive D: | 89.04 Gb Total Space | 42.25 Gb Free Space | 47.44% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 43.45 Gb Free Space | 18.66% Space Free | Partition Type: NTFS
Drive F: | 149.05 Gb Total Space | 53.32 Gb Free Space | 35.77% Space Free | Partition Type: NTFS

Computer Name: JEFFDESK | User Name: Jeff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/08 02:15:47 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
PRC - [2011/03/18 13:53:06 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/08/16 23:54:50 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2010/08/09 06:03:10 | 000,389,352 | ---- | M] (SANDBOXIE L.T.D) -- C:\Program Files\Sandboxie\SbieCtrl.exe
PRC - [2010/08/09 06:03:08 | 000,075,496 | ---- | M] (SANDBOXIE L.T.D) -- C:\Program Files\Sandboxie\SbieSvc.exe
PRC - [2010/07/20 21:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2010/07/20 21:22:56 | 001,038,848 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2010/06/15 07:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2010/06/15 07:09:44 | 000,730,600 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/07 13:19:27 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2006/03/23 00:13:46 | 001,591,808 | ---- | M] (YourWare Solutions ™) -- C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
PRC - [2005/12/05 17:00:44 | 000,753,664 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Tablet.exe
PRC - [2005/01/19 20:34:16 | 000,128,000 | ---- | M] ( ) -- C:\Program Files\CursorXP\CursorXP.exe


========== Modules (SafeList) ==========

MOD - [2011/04/08 02:15:47 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
MOD - [2010/06/15 07:09:52 | 000,640,488 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2009/07/12 04:12:06 | 000,632,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
MOD - [2009/07/12 04:09:20 | 000,554,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
MOD - [2006/09/07 13:18:56 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2005/01/19 20:34:24 | 000,014,848 | ---- | M] ( ) -- C:\Program Files\CursorXP\CurXP0.dll
MOD - [2004/08/03 18:56:44 | 000,367,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dsound.dll
MOD - [2004/08/03 18:56:44 | 000,120,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvfw32.dll
MOD - [2004/02/23 22:42:40 | 001,386,496 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/08/16 23:54:50 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2010/08/09 06:03:08 | 000,075,496 | ---- | M] (SANDBOXIE L.T.D) [Auto | Running] -- C:\Program Files\Sandboxie\SbieSvc.exe -- (SbieSvc)
SRV - [2010/07/20 21:24:38 | 002,434,568 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2010/06/15 07:09:48 | 000,493,032 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/11/06 12:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2005/12/05 17:00:44 | 000,753,664 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Tablet.exe -- (TabletService)
SRV - [2003/03/09 16:31:02 | 000,065,795 | R--- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/08/11 05:25:45 | 000,082,380 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2010/08/09 06:03:04 | 000,123,112 | ---- | M] (SANDBOXIE L.T.D) [Kernel | On_Demand | Running] -- C:\Program Files\Sandboxie\SbieDrv.sys -- (SbieDrv)
DRV - [2010/06/15 07:09:40 | 000,026,352 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2010/06/09 19:16:12 | 000,528,128 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/06 15:00:36 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv)
DRV - [2009/11/06 15:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)
DRV - [2009/11/06 15:00:34 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2009/10/12 18:15:30 | 000,317,072 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/10/12 18:15:26 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\kl1.sys -- (kl1)
DRV - [2007/03/27 04:21:06 | 004,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/03/15 02:12:02 | 000,038,656 | R--- | M] (Attansic Technology corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atl01_xp.sys -- (AtcL001)
DRV - [2006/10/18 15:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2005/11/29 17:50:42 | 000,008,138 | ---- | M] (Wacom Technology Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\PenClass.sys -- (PenClass)
DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2000/07/24 04:01:00 | 000,019,537 | ---- | M] (Brother Industries Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\BrPar.sys -- (BrPar)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011/02/07 06:07:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/29 20:48:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/29 20:48:35 | 000,000,000 | ---D | M]

[2010/08/11 03:08:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Extensions
[2011/04/03 02:55:53 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\94urjx0q.default\extensions
[2011/01/16 13:39:16 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\94urjx0q.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/04/03 02:52:43 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\94urjx0q.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2011/03/12 21:45:26 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\Jeff\Application Data\Mozilla\Firefox\Profiles\94urjx0q.default\extensions\[email protected]
[2011/03/29 20:48:38 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/11 03:50:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/17 19:39:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2011/01/16 14:06:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/18 13:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/04/08 01:41:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe ( )
O4 - HKCU..\Run: [FreeRAM XP] C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe (YourWare Solutions ™)
O4 - HKCU..\Run: [SandboxieControl] C:\Program Files\Sandboxie\SbieCtrl.exe (SANDBOXIE L.T.D)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010/08/11 05:46:05 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ButtonBoogie.lnk = C:\Program Files\PC Magazine Utilities\ButtonBoogie\ButtonBoogie.exe (Ziff Davis Media, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe (Wacom Technology, Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe (Tropical Wares)
O4 - Startup: C:\Documents and Settings\Jeff\Start Menu\Programs\Startup\ButtonBoogie.lnk = C:\Program Files\PC Magazine Utilities\ButtonBoogie\ButtonBoogie.exe (Ziff Davis Media, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.233.217.2 64.233.217.3
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop Components:AutorunsDisabled () -
O24 - Desktop WallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jeff\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/08/11 02:46:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/08 02:15:46 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2011/04/08 02:13:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\Redirect Fixes
[2011/04/08 01:41:39 | 000,000,000 | ---D | C] -- C:\_OTM
[2011/04/08 01:28:04 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/04/08 01:28:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/08 01:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/04/08 01:28:00 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/04/08 01:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/08 00:03:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jeff\Recent
[2011/04/08 00:03:05 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/07 22:14:49 | 006,836,912 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\mbam-rules.exe
[2011/04/07 21:52:13 | 000,000,000 | --SD | C] -- C:\WINDOWS\Cookies
[2011/04/07 21:15:31 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/04/07 21:15:31 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/04/07 21:15:31 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/04/07 21:15:31 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/04/07 21:02:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/04/07 21:00:39 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/07 20:50:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2011/04/06 01:49:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Application Data\jah
[2011/04/06 01:48:48 | 000,000,000 | ---D | C] -- C:\Program Files\OpenLibraries
[2011/04/06 01:48:42 | 000,000,000 | ---D | C] -- C:\Program Files\jahPlayer
[2011/04/05 23:05:49 | 000,102,439 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\sipr3260.dll
[2011/04/05 23:05:49 | 000,065,602 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\cook3260.dll
[2011/04/05 23:05:48 | 001,184,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wvc1dmod.dll
[2011/04/05 23:05:48 | 000,626,688 | ---- | C] (On2.com) -- C:\WINDOWS\System32\vp7vfw.dll
[2011/03/23 01:24:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\RFID Zapper
[2011/03/19 12:10:10 | 000,000,000 | ---D | C] -- C:\Program Files\CubePortable
[2011/03/19 12:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\pazera
[2011/03/19 11:42:32 | 002,329,003 | ---- | C] (boilsoft, Inc. ) -- C:\Documents and Settings\Jeff\Desktop\avi_mpg_splitter.exe
[2011/03/17 20:40:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jeff\Desktop\Portable Apps
[2010/08/15 21:52:25 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\Jeff\Application Data\pcouffin.sys
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/08 02:15:47 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jeff\Desktop\OTL.exe
[2011/04/08 02:05:00 | 000,000,132 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Geeks to go redirect fix Page.url
[2011/04/08 02:01:42 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2011/04/08 01:44:33 | 000,000,336 | ---- | M] () -- C:\WINDOWS\System32\tablet.dat
[2011/04/08 01:44:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/08 01:41:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/04/08 01:28:04 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 23:59:30 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 22:15:12 | 006,836,912 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Jeff\Desktop\mbam-rules.exe
[2011/04/07 21:14:13 | 004,315,987 | R--- | M] () -- C:\Documents and Settings\Jeff\Desktop\CbFx.exe
[2011/04/07 20:50:48 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/07 06:34:37 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Word.lnk
[2011/04/06 06:45:14 | 000,001,057 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\vso_ts_preview.xml
[2011/04/06 01:48:45 | 000,000,810 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\jahPlayer.lnk
[2011/04/06 01:45:08 | 000,193,024 | ---- | M] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/05 23:23:13 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/04/05 23:11:32 | 000,047,360 | ---- | M] (VSO Software) -- C:\Documents and Settings\Jeff\Application Data\pcouffin.sys
[2011/04/05 23:11:32 | 000,007,887 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\pcouffin.cat
[2011/04/05 23:11:31 | 000,001,144 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\pcouffin.inf
[2011/03/29 20:48:40 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Jeff\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/03/28 01:57:55 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Publisher.lnk
[2011/03/22 22:03:00 | 000,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/22 22:03:00 | 000,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/20 11:45:38 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Jeff\Desktop\Word.lnk
[2011/03/19 12:24:02 | 000,001,592 | ---- | M] () -- C:\WINDOWS\Sandboxie.ini
[2011/03/19 11:42:37 | 002,329,003 | ---- | M] (boilsoft, Inc. ) -- C:\Documents and Settings\Jeff\Desktop\avi_mpg_splitter.exe
[2011/03/13 15:54:38 | 000,000,494 | ---- | M] () -- C:\hpfr5550.xml
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/08 02:04:37 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\Jeff\Desktop\Geeks to go redirect fix Page.url
[2011/04/08 01:28:04 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/04/07 23:59:30 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/04/07 21:15:31 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/04/07 21:15:31 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/04/07 21:15:31 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/04/07 21:15:31 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/04/07 21:15:31 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/04/07 21:13:56 | 004,315,987 | R--- | C] () -- C:\Documents and Settings\Jeff\Desktop\CbFx.exe
[2011/04/06 01:48:45 | 000,000,810 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\jahPlayer.lnk
[2011/04/05 23:06:17 | 000,001,057 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\vso_ts_preview.xml
[2010/11/07 23:19:46 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/05 00:51:38 | 000,000,066 | ---- | C] () -- C:\WINDOWS\drD3D.ini
[2010/08/18 04:24:51 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2010/08/16 12:04:31 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/08/16 04:46:07 | 000,000,445 | ---- | C] () -- C:\WINDOWS\EntPack.dat
[2010/08/16 04:46:07 | 000,000,046 | ---- | C] () -- C:\WINDOWS\EntPack.ini
[2010/08/16 01:36:18 | 000,001,592 | ---- | C] () -- C:\WINDOWS\Sandboxie.ini
[2010/08/15 21:52:25 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\pcouffin.cat
[2010/08/15 21:52:25 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\Jeff\Application Data\pcouffin.inf
[2010/08/12 01:03:49 | 001,103,360 | ---- | C] () -- C:\WINDOWS\System32\cidfont.dll
[2010/08/12 01:03:48 | 004,369,408 | ---- | C] () -- C:\WINDOWS\System32\pdftk.exe
[2010/08/12 01:03:48 | 001,503,232 | ---- | C] () -- C:\WINDOWS\System32\ptj.exe
[2010/08/12 00:13:16 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/08/12 00:12:54 | 000,193,024 | ---- | C] () -- C:\Documents and Settings\Jeff\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/11 13:04:12 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/08/11 06:06:14 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/08/11 05:54:02 | 000,016,560 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/08/11 05:53:48 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/08/11 05:43:21 | 000,000,059 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2010/08/11 05:43:21 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_1440.ini
[2010/08/11 05:43:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Brohl144.ini
[2010/08/11 05:43:19 | 000,000,447 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2010/08/11 05:43:18 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2010/08/11 05:42:34 | 000,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2010/08/11 05:42:34 | 000,000,039 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2010/08/11 05:42:34 | 000,000,026 | ---- | C] () -- C:\WINDOWS\brpp2ka.ini
[2010/08/11 05:42:34 | 000,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2010/08/11 05:42:17 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2010/08/11 05:42:17 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\BRVPDNTA.DLL
[2010/08/11 05:42:17 | 000,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2010/08/11 05:42:17 | 000,011,568 | ---- | C] () -- C:\WINDOWS\HL-1440.INI
[2010/08/11 05:42:17 | 000,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2010/08/11 05:20:23 | 000,020,454 | ---- | C] () -- C:\WINDOWS\hpoins01.dat
[2010/08/11 05:20:23 | 000,016,618 | ---- | C] () -- C:\WINDOWS\hpomdl01.dat
[2010/08/11 05:15:36 | 000,000,026 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2010/08/11 04:47:05 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/08/11 04:43:07 | 000,000,336 | ---- | C] () -- C:\WINDOWS\System32\tablet.dat
[2010/08/11 04:13:24 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2010/08/11 04:13:22 | 000,024,576 | R--- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2010/08/11 04:13:22 | 000,012,664 | R--- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2010/08/11 04:13:20 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2010/08/11 04:13:20 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2010/08/11 04:02:57 | 000,204,800 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2010/08/11 03:46:38 | 000,000,037 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2010/08/11 03:39:19 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2010/08/11 03:13:34 | 000,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2010/08/11 03:07:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/08/11 02:48:29 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2010/08/11 02:43:44 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2010/08/10 19:27:51 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/08/10 19:26:45 | 000,266,208 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/06 15:00:20 | 000,016,240 | ---- | C] () -- C:\WINDOWS\System32\SsiEfr.exe
[2009/11/06 12:00:28 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2004/12/20 14:08:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2004/12/20 14:03:26 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2004/08/03 19:07:22 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/02 08:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/03/09 16:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >




OTL Extras logfile created on: 4/8/2011 2:16:48 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Jeff\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 66.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 83.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 60.00 Gb Total Space | 24.17 Gb Free Space | 40.28% Space Free | Partition Type: NTFS
Drive D: | 89.04 Gb Total Space | 42.25 Gb Free Space | 47.44% Space Free | Partition Type: NTFS
Drive E: | 232.88 Gb Total Space | 43.45 Gb Free Space | 18.66% Space Free | Partition Type: NTFS
Drive F: | 149.05 Gb Total Space | 53.32 Gb Free Space | 35.77% Space Free | Partition Type: NTFS

Computer Name: JEFFDESK | User Name: Jeff | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\utorrent.exe" = C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{12BB7942-1E1F-43D9-B441-4668C1629425}" = hp officejet 6100 series
"{1F698102-5739-441E-96F0-74F4EA540F06}" = Attansic Ethernet Utility
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Spy Sweeper
"{20aa4150-b5f4-11de-8a39-0800200c9a66}_is1" = KompoZer 0.8b3
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 23
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{5AE3D9F1-9E9E-4015-8787-E22705AA32C5}" = msxml4
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B28B351F-1232-46EA-85EF-B8EA91641033}" = Nero 7 Essentials
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.7.343
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"7-Zip" = 7-Zip 4.57
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AtcL1" = Attansic L1 Gigabit Ethernet Driver
"Audacity_is1" = Audacity 1.2.6
"Bejeweled 2 Deluxe 1.0" = Bejeweled 2 Deluxe 1.0
"Bejeweled Twist 1.0.3" = Bejeweled Twist 1.0.3
"Brother 1440" = Brother 1440
"BROWNIE" = Brownie
"CamStudio" = CamStudio
"CCleaner" = CCleaner
"CDisplay_is1" = CDisplay 1.8
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.55
"CursorXP" = CursorXP
"CutePDF Writer Installation" = CutePDF Writer 2.8
"DivX Setup.divx.com" = DivX Setup
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDStyler_is1" = DVDStyler v1.8.0.1
"ffdshow_is1" = ffdshow [rev 1431] [2007-08-21]
"FLVPlayer" = FLV Player 1.3.3
"Free Mp3 Wma Converter_is1" = Free Mp3 Wma Converter V 1.4.0
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 1.99.1
"HP OfficeJet 6100 Series" = HP Photo and Imaging 2.0 - hp officejet 6100 series
"IconForge version 4.92_is1" = IconForge version 4.92
"jahPlayer" = jahPlayer
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox 4.0 (x86 en-US)" = Mozilla Firefox 4.0 (x86 en-US)
"office Convert Pdf to Jpg Jpeg Tiff Free_is1" = office Convert Pdf to Jpg Jpeg Tiff Free 6.4
"OpenLibraries" = OpenLibraries
"Opera 11.01.1190" = Opera 11.01
"PC Magazine ButtonBoogie 2_is1" = PC Magazine ButtonBoogie 2.1
"QuicktimeAlt_is1" = QuickTime Alternative 3.2.2
"Riva FLV Encoder 2.0_is1" = Riva FLV Encoder 2.0
"Sandboxie" = Sandboxie 3.48
"Tablet Driver" = Tablet
"Tweak UI 2.10" = Tweak UI
"Unlocker" = Unlocker 1.8.5
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.4
"WallMaster" = WallMaster
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WM Converter 2.0" = WM Converter 2.0
"xp-AntiSpy" = xp-AntiSpy 3.96-4
"XviD_is1" = XviD MPEG-4 Video Codec
"ZoneAlarm Anti-virus" = ZoneAlarm Anti-virus
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0
"Zuma's Revenge!" = Zuma's Revenge!

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/3/2010 12:44:17 AM | Computer Name = JEFFDESK | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3909, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.

Error - 10/4/2010 9:18:00 PM | Computer Name = JEFFDESK | Source = Application Error | ID = 1000
Description = Faulting application doomsday.exe, version 0.0.0.0, faulting module
doomsday.exe, version 0.0.0.0, fault address 0x00064123.

Error - 11/6/2010 1:02:22 AM | Computer Name = JEFFDESK | Source = Application Error | ID = 1000
Description = Faulting application doomsday.exe, version 0.0.0.0, faulting module
doomsday.exe, version 0.0.0.0, fault address 0x0003ee95.

Error - 11/6/2010 1:06:33 AM | Computer Name = JEFFDESK | Source = Application Error | ID = 1000
Description = Faulting application doomsday.exe, version 0.0.0.0, faulting module
doomsday.exe, version 0.0.0.0, fault address 0x0003ee95.

Error - 11/6/2010 1:08:51 AM | Computer Name = JEFFDESK | Source = Application Error | ID = 1000
Description = Faulting application doomsday.exe, version 0.0.0.0, faulting module
doomsday.exe, version 0.0.0.0, fault address 0x000609f2.

[ System Events ]
Error - 4/5/2011 8:57:58 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 8:59:51 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:05:01 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:10:11 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:12:05 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:17:15 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:22:25 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:24:16 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 9:29:26 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.

Error - 4/5/2011 10:39:01 PM | Computer Name = JEFFDESK | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 192.168.0.3. The machine with the IP address 192.168.0.2 did not
allow the name to be claimed by this machine.


< End of report >



The only things that stand out so far are the three Mozilla Extensions with "No Name found", and VC80CRTRedist - 8.0.50727.4053.

Thanks in Advance!
Jeff Ferreri
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello Jeff_F and welcome to G2G! :D

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • make sure Boot sectors are selected


    Posted Image
  • If an infection is found change action to Quarantine and press Continue
  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • Please attach this file for me: C:\TDSSKiller_Quarantine\<date and Time>\boot0000\mbr0000\tsk0000.dta

Step 2

Please send me last Combofix log located in C:\Combofix.txt

Step 3

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply
  • Save the log as before and post in your next reply

Step 4

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • TDSSKiller tsk0000.dta log
  • Combofix log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#3
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
TDSS Killer Log attached, there was no file to quarantine, so no quarantine log was generated. When I first ran TDSS Killer I deleted what it found, so no Quarantine log was generated then, either.

Attached Files


Edited by Jeff_F, 09 April 2011 - 02:57 PM.

  • 0

#4
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
My last ComboFix log.

Attached Files


  • 0

#5
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
aswMBR log

It also generated a MBR.dat file, would that be helpful as well?

Attached Files


Edited by Jeff_F, 09 April 2011 - 02:58 PM.

  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi Jeff_F,

Step 1

Please scan with TDSSKiller one more time. After the scan it will report this file as suspicious:

C:\WINDOWS\system32\DRIVERS\sshrmd.sys

Choose Cure option to desinfect it.

Post log here for me after that.

Step 2

Please run aswMBR one more time and post log here for me.

Step 3

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#7
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
windows.exe crashed
DrWatson crashed

restarted, ran TDSSKiller

Log attached

Attached Files


  • 0

#8
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
aswMBR log attached

Attached Files


  • 0

#9
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Interesting observation: When I open a sandboxed web browser (Firefox) Google searches delay 10 seconds but do not redirect.
  • 0

#10
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
OK. Infection is still there.

Please scan with aswMBR one more time and after the scan press FIX button (DON'T press FixMBR button)

After that post log here for me.
  • 0

Advertisements


#11
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
After scanning the Fix button was unavailable (greyed out) but the Scan, Fix MBR, Save Log, and Exit buttons were all available.

Have attached the new aswMBR log file.

Thank You for your diligent efforts thus far!

Attached Files


  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Thank you for additional information with sendbox. Please do this step:

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Confirm deletion to all infection AVP finds
Once it has finished select report and post that.

Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop
  • 0

#13
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Ran Kaspersky virus removal tool. Interestingly it found several items that my commercial Kaspersky AV engine did not, but this could be because the virus(es) were fooling it into thinking it was updating.

Still getting redirects, thinking I should run the tool in Safe Mode.

Log attached.

Attached Files


  • 0

#14
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
I thing that your SpySweeper instalation is infected so as all his related documents. Let's try to remove some of them. Test your system after this

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    DRV - [2009/11/06 15:00:36 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)

    :Commands
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply.

  • 0

#15
Jeff_F

Jeff_F

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
It appears to have failed, Spy Sweeper is pretty resistant to changes.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP