[LittleBlueHouse]

Hello,

Somehow I picked up a virus or malware that is redirecting Google search links in my browser.

I tried to follow the steps listed here: http://www.geekstogo...ogle-redirects/

However, when I ran the OTM program, it got hung up and never produced an output. I could not get it to work correctly.

I believe this thing attacked my computer when I tried to watch a tv show online. I do not use any peer-to-peer things. After I got a warning from Spyware Doctor, I scanned the computer and fixed everything that came up. Upon restarting my computer the next morning, I found it would not start. It was diagnosed as a corrupted Master Boot Record, and repaired. I am still having problems with Google redirects.

I ran OTL, but the output is huge. If part of it would be helpful, I could post it.

I'd appreciate any help.

Thanks a bunch,
LittleBlueHouse

[Advertisements]

Hello LittleBlueHouse, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:

• Please post your logs, don't attach them unless stated.
• Please read my posts carefully and if you have any questions ask.
• Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

Sorry for the delay.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[mitch8]

Hello LittleBlueHouse, and welcome to GeeksToGo! My name is Mitch8 and I will be helping you with your problem. Here are a few things I would like to point out:

• Please post your logs, don't attach them unless stated.
• Please read my posts carefully and if you have any questions ask.
• Stay with this topic until I tell you that your system is clean. Malware can still be on your system even if you don't notice it.

Sorry for the delay.

Step 1

Download GMER from Here. Note the file's name and save it to your root folder, such as C:\.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 2

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[mitch8]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

[admin]

Reopened at topic starters request.

[LittleBlueHouse]

Thank you for reopening this. I will have time in the next day or two to walk through the steps you recommended.

[LittleBlueHouse]

Hello, and sorry for the initial lapse. I wasn't aware that anyone had answered my topic.

I have downloaded and run GMER. It detected rootkit activity. I did not scan the system. Here is the log as you requested:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-11 21:56:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 ST3400633AS rev.3.AAD
Running: 0yy85y98.exe; Driver: C:\DOCUME~1\Louis\LOCALS~1\Temp\awtdraow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)

---- Processes - GMER 1.0.15 ----

Process hidden process (*** hidden *** ) 28088
Process hidden process (*** hidden *** ) 28244
Process hidden process (*** hidden *** ) 28364
Process hidden process (*** hidden *** ) 28608

---- EOF - GMER 1.0.15 ----

[mitch8]

Hi,

Can you run another quick scan with OTL? If it is too big to post like before try attaching it to your post.

[LittleBlueHouse]

I just tried running OTL, but before it was finished it gave me this error message:

Windows - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

I still have the old output, dated 6/3/11, but it is 1.6 MB, and I'm only allowed to upload 1. Is there a section I could post that would be helpful? There was definitely some wonky-looking stuff listed under the "Hosts" section.

[mitch8]

1.6 MB? Something is wrong. I guess just post as much as you can (until your file reaches 1 MB). But before you do that try right clicking on the file and select send to -> compressed zipped folder. Try posting the zip folder.

[LittleBlueHouse]

It compressed down to 122 kb in a zip file. Most of it looks like legitimate program stuff, but you are the expert.

Thanks for your help!

Attached Files

•  OTL.zip   122.36KB   153 downloads

[mitch8]

You're right, nothing is that bad. I suspect there is more.

Run this tool:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan click save log, save it to your desktop and post in your next reply

[LittleBlueHouse]

I tried twice to run this program, but twice it froze-up my entire computer and I couldn't get it to finish.

The second time it got far enough to show the following in red:
C:\WINDOWS\system32\kbdnecp.dll **INFECTED** win32:Malob-GD [cryp]

[mitch8]

Hi,

Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[LittleBlueHouse]

Here is the log:

ComboFix 11-07-19.04 - Louis 07/19/2011 21:48:17.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1396 [GMT -4:00]
Running from: c:\documents and settings\Louis\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
ADS - system32: deleted 142 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\documents and settings\Louis\Application Data\Adobe\plugs
c:\documents and settings\Louis\Application Data\Adobe\shed
c:\documents and settings\Louis\Application Data\Microsoft\Internet Explorer\Desktop.htt
c:\documents and settings\Louis\WINDOWS
c:\windows\desktop
c:\windows\desktop\Cook'n Healthy & Hearty.lnk
c:\windows\system32\skinboxer43.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-20 to 2011-07-20 )))))))))))))))))))))))))))))))
.
.
2011-07-12 01:07 . 2011-07-12 01:07 302592 ----a-w- C:\0yy85y98.exe
2011-06-26 01:46 . 2011-06-26 01:46 -------- d-----w- c:\program files\Apple Software Update
2011-06-26 01:43 . 2011-06-26 01:43 -------- d-----w- c:\program files\iPod
2011-06-26 01:43 . 2011-06-26 01:44 -------- d-----w- c:\program files\iTunes
2011-06-24 19:25 . 2011-06-24 19:25 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-24 19:25 . 2011-06-24 19:25 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-24 19:16 . 2011-06-24 19:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-23 14:09 . 2011-06-24 19:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-23 14:09 . 2011-06-24 19:25 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-23 14:09 . 2011-06-24 19:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-23 14:09 . 2011-06-24 19:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-23 14:09 . 2011-06-24 19:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-23 14:08 . 2011-06-24 19:25 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-11 15:29 . 2008-05-19 12:19 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2006-08-25 02:55 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2006-02-28 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2006-02-28 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2010-01-14 18:03 . 2010-01-14 18:03 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-01-14 18:03 . 2010-01-14 18:03 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-14 18:03 . 2010-01-14 18:03 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-01-14 18:03 . 2010-01-14 18:03 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-06-24 19:25 . 2011-06-23 14:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]
@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"
[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2011-03-04 00:52 762000 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-01-07 108496]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2011-03-04 948880]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2011-01-24 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-01-03 274608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\Louis\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\Louis\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2011-5-25 1731736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA1100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA1100\WNA1100.exe [2011-6-1 4573664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk]
backup=c:\windows\pss\Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICS5R7Y0OS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\R8388QA8U8
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 04:59 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-08 04:02 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-03-24 02:00 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DACSMiniApp]
2008-03-13 16:05 128256 ----a-w- c:\program files\Fisher-Price\DACS\MiniApp\DACSMiniApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 20:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 20:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 13:03 210472 ----a-w- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-01-03 14:50 274608 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41 8192 ----a-w- c:\program files\Xvid\CheckUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Autodesk\\3dsMax8\\3dsmax.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Louis\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/9/2009 5:24 PM 237632]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [11/14/2010 11:38 AM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [11/14/2010 11:38 AM 656320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [5/5/2011 11:00 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [5/5/2011 11:00 PM 68880]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/9/2009 5:24 PM 249616]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/3/2009 4:32 PM 247760]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [1/24/2011 2:35 PM 25824]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [12/3/2009 4:00 PM 632792]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [9/13/2006 1:09 AM 15840]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 12:42 PM 14088]
R2 WSWNA1100;WSWNA1100;c:\program files\NETGEAR\WNA1100\WifiSvc.exe [6/1/2011 2:09 PM 268768]
R3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [6/1/2011 2:13 PM 1723840]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [6/1/2011 2:09 PM 57440]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 5:12 PM 10664]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNA1100\jswpsapi.exe [6/1/2011 2:09 PM 360529]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/9/2009 5:24 PM 70536]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/5/2008 7:56 AM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [5/5/2011 11:00 PM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [7/8/2008 4:53 PM 24652]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-07-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-722476477-2073706597-2571452138-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
2011-07-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-722476477-2073706597-2571452138-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/webhp?hl=en
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Download all by NetXfer - c:\program files\Xi\NetXfer\NXAddList.html
IE: Download by NetXfer - c:\program files\Xi\NetXfer\NXAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: aol.com\free
Trusted Zone: intermedia.net\owa
Trusted Zone: myfairpoint.net
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Louis\Application Data\Mozilla\Firefox\Profiles\8tys3n7i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=14-06-2009&tb_mrud=07-05-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=14-06-2009&tb_mrud=07-05-2010&query=
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-19 22:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Louis\Application Data\Mozilla\Firefox\Profiles\8tys3n7i.default\prefs.js.BAK 19292 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3400633AS rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-22
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 781420653 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1536)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\athgina.dll
.
- - - - - - - > 'lsass.exe'(1592)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2011-07-19 22:13:43
ComboFix-quarantined-files.txt 2011-07-20 02:13
.
Pre-Run: 126,947,454,976 bytes free
Post-Run: 127,763,558,400 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 1F6EA681D92A6FDDD8F250293F33A367

[mitch8]

Hi,

Please download MBRCheck.exe to your desktop.

• Double click to run it
• It will prompt you with some text
• A text file will be generated on your desktop
• Now paste that text here for me.