Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Explorer and Google Chrome redirecting


  • Please log in to reply

#1
craigrulez

craigrulez

    Member

  • Member
  • PipPip
  • 28 posts
Hello:

I have an issue with Internet Explorer and Google Chrome redirecting to advertisement sites after I perform a search either with google or yahoo and click on a link. This problem began 11/29/11, my computer got infected with a trojan virus the newest one which causes multiple alert windows to pop up regarding HDD being low, then another window pops up saying the system is being scanned, this trojan disabled my task manager and caused my start menu to lose all information as well as my desktop. (I was using Mozilla Firefox at the time of infection) I ran PC Tools Spyware Doctor, it said it found an infection, cleaned it, restarted, and the same thing happened. After some extensive research I was able to pull up the task manager through the start menu, killed the random name (it was a series of numbers and letters)program, and restored my PC to the 11/28/11 configuration.

That took care of the virus it seemed, but now I am having the redirecting issue, my version of PC Tools Spyware Doctor is suddenly an older version and it is not letting me download the newer version. I also had been using Mozilla Firefox in the past, but suddenly the program was having an issue with a java component and wouldn't run correctly, so I uninstalled. I downloaded Malwarebytes' Anti-malware 1.51.2.1300 and ran this program, it found 7 infections, cleaned them and restarted PC. The redirect problem still exists and I notice that when I open my task manager, when I don't have iexplorer running myself, it is running and using between 175,000 - 250,000 bytes. I have posted the OTL scan information below.

Thank you for your assistance.


OTL logfile created on: 11/30/2011 9:09:00 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 52.96% Memory free
2.55 Gb Paging File | 1.78 Gb Available in Paging File | 69.72% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 23.24 Gb Free Space | 31.21% Space Free | Partition Type: NTFS
Drive D: | 658.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 7.39 Gb Total Space | 4.93 Gb Free Space | 66.70% Space Free | Partition Type: FAT32

Computer Name: DESK-CVERDOORN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/30 09:04:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/08/22 01:18:08 | 006,276,408 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2011/02/18 10:14:04 | 000,371,472 | ---- | M] (PC Tools) -- C:\Program Files\PC Tools Security\pctsAuxs.exe
PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/01 15:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Program Files\Google\Google Talk\googletalk.exe
PRC - [2003/05/15 00:19:50 | 000,217,193 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/22 01:18:06 | 000,925,696 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\yui.dll
MOD - [2011/08/22 01:18:06 | 000,078,336 | ---- | M] () -- C:\Program Files\Yahoo!\Messenger\pcre.dll
MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/02/05 12:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 18:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 18:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2003/05/15 00:03:46 | 000,147,456 | ---- | M] () -- C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (winss)
SRV - File not found [Auto | Stopped] -- -- (vwservice)
SRV - File not found [Auto | Stopped] -- -- (Browser Defender Update Service)
SRV - [2011/09/01 13:50:48 | 001,117,144 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/18 11:06:50 | 000,071,008 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\PC Tools Security\TFEngine\TFService.exe -- (ThreatFire)
SRV - [2011/02/18 10:14:04 | 000,371,472 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/23 10:45:00 | 000,326,688 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2011/08/18 11:07:40 | 000,079,512 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfSysMon.sys -- (TFSysMon)
DRV - [2011/08/18 11:07:40 | 000,054,328 | --S- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\TfFsMon.sys -- (TfFsMon)
DRV - [2011/08/18 11:07:40 | 000,035,264 | --S- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TfNetMon.sys -- (TfNetMon)
DRV - [2011/08/18 08:31:02 | 000,184,536 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PCTSD.sys -- (PCTSD)
DRV - [2011/07/19 08:23:40 | 000,070,664 | ---- | M] (PC Tools) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pctplsg.sys -- (pctplsg)
DRV - [2011/07/19 08:18:26 | 000,252,712 | ---- | M] (PC Tools) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pctgntdi.sys -- (pctgntdi)
DRV - [2010/07/16 13:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 13:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2007/10/12 07:07:10 | 000,055,808 | ---- | M] (The SHVPN Project) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tap0801.sys -- (tap0801)
DRV - [2007/02/15 13:59:56 | 001,754,624 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/09/13 20:45:38 | 000,003,456 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atiide.sys -- (atiide)
DRV - [2006/05/16 20:03:24 | 000,044,544 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/03/17 03:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/01/10 10:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2003/09/19 14:45:48 | 000,021,248 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070317
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2070317

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default = 21 08 48 3B DD EC 0F 45 9D C4 DF 47 F0 AD A5 41 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{cb84136f-9c44-433a-9048-c5cd9df1dc16}: C:\Program Files\PC Tools Security\BDT\Firefox\ [2011/11/29 19:13:25 | 000,000,000 | ---D | M]

[2011/11/29 19:17:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/24 10:30:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\15.0.874.121\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: MetaStream 3 Plugin (Enabled) = C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2007/05/17 08:46:12 | 000,000,734 | -H-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O2 - BHO: (Reg Error: Value error.) - {CAF2183F-68EA-4188-80C4-4CF36E9E2225} - Reg Error: Value error. File not found
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [B2C_AGENT] C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe (LG Electronics)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe (Google)
O4 - HKLM..\Run: [ISTray] C:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKCU..\Run: [Aim6] C:\Program Files\AIM6\aim6.exe (AOL LLC)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Palm Registration.lnk = C:\Program Files\Palm\register.exe (Palm/Leader Technologies)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} http://h30155.www3.h...llMgr_v01_5.cab (FixController Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 208.59.247.45 208.59.247.46
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = StudentAidLending.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{07F0E1A3-1DDD-444C-A4E9-92FB3F9FC9C5}: DhcpNameServer = 192.168.2.1 208.59.247.45 208.59.247.46
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2000/09/20 18:55:56 | 000,827,392 | R--- | M] () - D:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [2000/07/06 18:04:48 | 000,000,135 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Value error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/11/30 09:04:08 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/11/29 20:04:19 | 000,000,000 | ---D | C] -- C:\Avenger
[2011/11/29 19:29:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/11/29 19:29:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/11/29 19:29:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/11/29 19:29:06 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/11/29 19:29:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/11/29 19:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/11/29 18:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Real
[2011/11/29 18:28:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2011/11/29 18:28:29 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/11/29 14:38:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\PCTools
[2011/11/29 02:11:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TestApp
[2011/11/17 12:39:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/11/17 12:38:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/11/17 12:38:15 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/11/17 10:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2011/11/11 00:06:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2011/11/11 00:05:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger
[2011/11/03 12:03:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/11/03 12:03:35 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/30 09:04:09 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/11/30 08:42:17 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\pxpnb.sys
[2011/11/30 08:25:01 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/29 20:06:13 | 000,002,413 | ---- | M] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2011/11/29 20:05:47 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/29 20:05:46 | 000,002,206 | -H-- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/29 20:05:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/29 20:05:14 | 2145,337,344 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/29 19:22:46 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2011/11/29 19:22:46 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/11/29 18:33:56 | 000,000,750 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Palm Registration.lnk
[2011/11/29 15:18:45 | 000,000,440 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\ZEi5uYcgM071Dh
[2011/11/29 15:18:02 | 000,000,312 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dh
[2011/11/29 15:18:02 | 000,000,216 | -H-- | M] () -- C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dhr
[2011/11/29 02:18:09 | 000,445,370 | -H-- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/29 02:18:09 | 000,072,576 | -H-- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/11/24 10:39:03 | 000,000,284 | -H-- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/11/17 12:39:45 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/11/11 00:05:32 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/11/11 00:05:32 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2011/11/08 10:52:56 | 000,001,201 | ---- | M] () -- C:\WINDOWS\System32\LexFiles.usr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/30 08:42:17 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\pxpnb.sys
[2011/11/29 19:22:46 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2011/11/29 19:22:46 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/11/29 19:20:41 | 000,000,900 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/29 19:20:40 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/29 15:18:02 | 000,000,312 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dh
[2011/11/29 15:18:02 | 000,000,216 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\~ZEi5uYcgM071Dhr
[2011/11/29 15:17:56 | 000,000,440 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\ZEi5uYcgM071Dh
[2011/11/17 12:39:45 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/11/11 00:05:32 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/11/11 00:05:32 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2011/09/08 13:34:49 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll1123.old
[2011/08/30 22:24:29 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/07 07:04:55 | 000,040,800 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/05/18 18:27:36 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\CommonDL.dll
[2011/05/18 18:27:36 | 000,002,413 | ---- | C] () -- C:\WINDOWS\System32\lgAxconfig.ini
[2011/05/15 18:35:57 | 000,006,774 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\7hmxw681gt1y0f48sfbt21434460ctd2rv6u2
[2011/05/15 18:35:57 | 000,006,774 | -HS- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\7hmxw681gt1y0f48sfbt21434460ctd2rv6u2
[2011/05/11 18:32:08 | 000,232,968 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/05/11 18:32:04 | 000,232,968 | -H-- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/05/11 18:32:04 | 000,000,001 | -H-- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/04/28 16:37:14 | 000,000,507 | ---- | C] () -- C:\WINDOWS\LMAAQ2DD.ini
[2011/04/14 15:29:32 | 000,000,664 | -H-- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/09 16:38:00 | 002,195,030 | -H-- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2007/09/24 16:43:10 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\nnr.dll
[2007/08/31 09:24:12 | 000,000,036 | ---- | C] () -- C:\WINDOWS\iltwain.ini
[2007/08/31 09:24:10 | 000,000,056 | ---- | C] () -- C:\WINDOWS\Addrfixr.ini
[2007/08/31 09:23:28 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\DYMOCFG.DLL
[2007/08/31 09:23:27 | 000,005,563 | ---- | C] () -- C:\WINDOWS\System32\dymourl.ini
[2007/06/27 14:59:31 | 000,000,335 | -H-- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/05 07:46:05 | 000,060,565 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2007/06/05 07:46:05 | 000,029,114 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2007/06/05 07:46:05 | 000,021,021 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2007/06/05 07:46:05 | 000,015,670 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2007/06/05 07:46:05 | 000,013,280 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2007/06/05 07:46:05 | 000,010,673 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2007/06/05 07:46:05 | 000,004,943 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2007/06/05 07:46:05 | 000,001,140 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2007/06/05 07:46:05 | 000,001,140 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2007/06/05 07:46:05 | 000,001,137 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2007/06/05 07:46:05 | 000,001,130 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2007/06/05 07:46:05 | 000,001,130 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2007/06/05 07:46:05 | 000,001,104 | -H-- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2007/06/05 07:46:05 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/06/05 07:44:49 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
[2007/05/14 07:33:47 | 003,717,616 | -HS- | C] () -- C:\WINDOWS\System32\pvgeydbw.ini
[2007/05/04 07:39:54 | 001,943,761 | -HS- | C] () -- C:\WINDOWS\System32\ffbplnlx.ini
[2007/05/02 16:29:20 | 000,078,874 | -H-- | C] () -- C:\WINDOWS\hpfins05.dat.temp
[2007/05/02 16:29:20 | 000,001,395 | -H-- | C] () -- C:\WINDOWS\hpfmdl05.dat.temp
[2007/04/26 08:09:28 | 000,000,644 | -HS- | C] () -- C:\WINDOWS\System32\disynhif.ini
[2007/04/20 09:32:09 | 001,387,127 | -HS- | C] () -- C:\WINDOWS\System32\qqstv.ini2
[2007/04/11 08:51:40 | 000,000,002 | ---- | C] () -- C:\WINDOWS\System32\wnsintcc32.exe
[2007/04/04 16:55:01 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2007/04/04 16:55:01 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2007/03/26 14:11:56 | 001,632,752 | -HS- | C] () -- C:\WINDOWS\System32\koeouatg.ini
[2007/03/24 08:32:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/03/17 10:06:45 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/03/17 10:06:16 | 000,000,136 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2007/03/17 09:44:48 | 002,515,656 | -H-- | C] () -- C:\WINDOWS\System32\ativvaxx.dat
[2007/03/17 09:44:48 | 000,136,650 | -H-- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2007/03/17 09:44:35 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2007/03/17 09:43:34 | 000,000,389 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:19:30 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2004/08/11 17:12:14 | 000,021,640 | -H-- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 17:07:24 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/11 17:06:43 | 000,212,880 | -H-- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/08/11 17:00:30 | 000,004,569 | -H-- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/11 17:00:28 | 000,445,370 | -H-- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/11 17:00:28 | 000,272,128 | -H-- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/11 17:00:28 | 000,072,576 | -H-- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/11 17:00:28 | 000,028,626 | -H-- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/11 17:00:27 | 000,004,627 | -H-- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/11 17:00:26 | 013,107,200 | -H-- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/11 17:00:24 | 000,000,741 | -H-- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/08/11 17:00:19 | 000,673,088 | -H-- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/11 17:00:19 | 000,046,258 | -H-- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/11 17:00:12 | 000,218,003 | -H-- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/11 17:00:04 | 000,001,804 | -H-- | C] () -- C:\WINDOWS\System32\dcache.bin
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2007/10/01 13:56:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\acccore
[2007/12/10 10:40:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CoreFTP
[2007/07/29 13:34:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\HotSync
[2007/10/23 10:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2011/11/29 14:38:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PCTools
[2011/11/29 02:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TestApp
[2007/10/26 13:47:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Viewpoint
[2007/12/19 13:11:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Arovax
[2007/04/03 18:19:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2011/05/18 18:35:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LGMOBILEAX
[2011/11/29 20:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/09/18 13:17:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2011/04/19 17:59:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2007/05/02 10:40:39 | 000,000,402 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2007/05/02 09:42:11 | 000,000,000 | ---D | M](C:\WINDOWS\?icrosoft.NET) -- C:\WINDOWS\Μicrosoft.NET
[2007/05/02 07:41:30 | 000,000,000 | ---D | C](C:\WINDOWS\?icrosoft.NET) -- C:\WINDOWS\Μicrosoft.NET
[2007/04/11 11:11:49 | 000,000,000 | ---D | M](C:\WINDOWS\A?pPatch) -- C:\WINDOWS\AрpPatch
[2007/04/11 11:06:39 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?ppPatch) -- C:\WINDOWS\System32\ΑppPatch
[2007/04/11 08:51:39 | 000,000,000 | ---D | C](C:\WINDOWS\A?pPatch) -- C:\WINDOWS\AрpPatch
[2007/04/11 08:51:33 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?ppPatch) -- C:\WINDOWS\System32\ΑppPatch

========== Alternate Data Streams ==========

@Alternate Data Stream - 191 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:430C6D84

< End of report >
  • 0

Advertisements


#2
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Welcome to GeeksToGo craigrulez,

Yes, the system appears to be still infected. If this is not a paid version of Spyware Doctor, it actually would help things if it were out of the way, and since it is likely corrupted by the malware, all the more reason. If you are able to, saving any registration info if it is a paid version, please uninstall Spyware Doctor. It has done what it might, and tends to interfere with real repairs we need to do now.

Before we start repairs, there are a few other checks we will need to do.

Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.


To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Decline a download of avast itself if offered
  • If avast! antivirus is already installed, go to the dropdown next to AV engine: and select (none)
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.

OTL should have also created an Extras.txt log, in the same location as the OTL.exe file, so please post that as well.
  • 0

#3
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello Jintan:

These additional scans are to be completed while is Safe Mode with Networking, correct?

Thanks.
  • 0

#4
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Yes, please.
  • 0

#5
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Jintan:

I am unable to uninstall Spyware Doctor (it is a registered copy), it tells me that the unistall.msg is missing and will not run any further.

I scanned with GMER and it found no modifications so it had no log for me to post. I am having trouble running aswMBR, I downloaded it to my desktop and when I double click to open it, the program doesn't start.

Below is the Extras log from OTL.

Thanks.



OTL Extras logfile created on: 11/30/2011 9:09:00 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.06 Gb Available Physical Memory | 52.96% Memory free
2.55 Gb Paging File | 1.78 Gb Available in Paging File | 69.72% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 23.24 Gb Free Space | 31.21% Space Free | Partition Type: NTFS
Drive D: | 658.83 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive E: | 7.39 Gb Total Space | 4.93 Gb Free Space | 66.70% Space Free | Partition Type: FAT32

Computer Name: DESK-CVERDOORN | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Value error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Inter-Tel\Inter-Tel 8602\IT8602_IP_SoftPhone.exe" = C:\Program Files\Inter-Tel\Inter-Tel 8602\IT8602_IP_SoftPhone.exe:*:Enabled:Inter-Tel 8602
"C:\Program Files\Adobe\Adobe Contribute CS3\Contribute.exe" = C:\Program Files\Adobe\Adobe Contribute CS3\Contribute.exe:*:Enabled:Contribute

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\DOCUME~1\ChrisV\LOCALS~1\Temp\win1B.tmp.exe" = C:\DOCUME~1\ChrisV\LOCALS~1\Temp\win1B.tmp.exe:*:Enabled:win1B.tmp
"D:\Utility\Installer\InstallationManager.exe" = D:\Utility\Installer\InstallationManager.exe:*:Enabled:Xerox Windows Common Print Driver Installer
"C:\WINDOWS\TEMP\win1002.tmp.exe" = C:\WINDOWS\TEMP\win1002.tmp.exe:*:Enabled:win1002.tmp
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"C:\Program Files\Adobe\Adobe Contribute CS3\Contribute.exe" = C:\Program Files\Adobe\Adobe Contribute CS3\Contribute.exe:*:Enabled:Contribute
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:World of Warcraft -- (Blizzard Entertainment)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- (Google)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0030188A-533E-42EE-9837-E044F10E4369}" = Palm
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83216024FF}" = Java™ 6 Update 29
"{3127F76D-5335-4AC7-BD1E-2F5247A23C24}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6314D540-E3C1-4F30-AEEB-4154C93375C3}" = HP Driver Diagnostics
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7279647E-8661-48DF-998E-E7DCC3E6955D}" = Microsoft Office Live Meeting 2005
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0 Standard
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB9FF6BD-FCE9-43FB-AD3C-5BCD4C822962}" = ATI Catalyst Control Center
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}" = ArcSoft PhotoImpression 5
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"AIM_6" = AIM 6
"ATI Display Driver" = ATI Display Driver
"Browser Defender_is1" = Browser Defender 3.0
"DYMO Label Software" = DYMO Label Software
"Google Chrome" = Google Chrome
"ie8" = Windows Internet Explorer 8
"Lexmark_HostCD" = Lexmark Software Uninstall
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Red Alert 2" = Command & Conquer Red Alert 2
"Registry Mechanic_is1" = Registry Mechanic 6.0
"Spyware Doctor" = Spyware Doctor 8.0
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3
"World of Warcraft" = World of Warcraft
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
  • 0

#6
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Looks like the system is rootkitted, so has malware starting early in the boot sequence, and owns the situation come normal bootup. Please run in Safe Mode with Networking, as indicated earlier.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Always.


Click here and download Kaspersky's TDSSKiller to your desktop, but as you download it, rename it to larry.com then click that file to run TDSSKiller.

In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot if requested.

When the scan completes it will create a log file on your C drive.

Similar in name to this:

C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt

Your copy will be different - some of those numbers will reflect the date/time it was just run by you there.

Copy/paste those contents back here please.

If TDSSKiller indicates a reboot, but the system freezes, hold down the computer's Startup button for about 8 seconds, until the system shuts down. then reboot, and run the same sequence as listed in this post.

------

Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Post that and the TDSSKiller log please.
  • 0

#7
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hey Jintan:

I downloaded TDSSKiller, saved it to my desktop as larry.com and attempted to run it, but it does not, no window opens.

Additionally, I attempted to run combofix and it gets as far as scanning for infected files with the cursor blinking, but after about 30 minutes the cursor stops blinking and nothing further happens.

Also, not sure if they will be any help, but I did notice when I'm starting in Safe Mode with Networking as well as starting normally, in my task manager the services.exe is consistently between 275-310k for about 5 minutes and then holds steady at 270k.

Thanks.

Edited by craigrulez, 01 December 2011 - 10:45 PM.

  • 0

#8
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
See if Gmer can spot what's involved there.

Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

--------

Also download GetPartitions from the link bellow on your desktop

getpartitions.exe

Double click to run it
It will produce C:\DiskReport.txt log please post results from that log here to me.
  • 0

#9
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hey Jintan:

Well finally some success. :) Below are both the logs you requested, first one is the Gmer and second is Getpartitions.

Thanks!



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-02 16:47:47
Windows 5.1.2600 Service Pack 3
Running: 7fgp6nep.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aflcyfog.sys


---- Modules - GMER 1.0.15 ----

Module atiide.sys (ATI SATA(IDE Mode) Controller Driver/ATI Technologies Inc.) F7A50000-F7A51000 (4096 bytes)
Module PCTCore.sys (PC Tools KDS Core Driver/PC Tools) F7417000-F7468000 (331776 bytes)
Module pctDS.sys (PC Tools Data Store/PC Tools) F7840000-F7897000 (356352 bytes)
Module pctEFA.sys (PC Tools Extended File Attributes/PC Tools) F7B3A000-F7BDF000 (675840 bytes)
Module \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) F776F000-F7775000 (24576 bytes)
Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows ® Server 2003 DDK provider) B8574000-B859C000 (163840 bytes)
Module \SystemRoot\system32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation NDIS 5.1 ethernet driver/Broadcom Corporation) F7687000-F7697000 (65536 bytes)
Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F779F000-F77A4000 (20480 bytes)
Module \??\C:\WINDOWS\system32\drivers\pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) B8338000-B8374000 (245760 bytes)
Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BD012000-BD059000 (290816 bytes)
Module \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aflcyfog.sys (GMER Driver http://www.gmer.net/GMER) (GMER) B5F15000-B5F2E000 (102400 bytes)

---- Processes - GMER 1.0.15 ----

Process chrome.exe 776
Process chrome.exe 1096
Process 7fgp6nep.exe 1484

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ADIHdAud.sys (High Definition Audio Function Driver/Analog Devices, Inc.) [MANUAL] ADIHdAudAddService
Service C:\WINDOWS\system32\DRIVERS\aliide.sys (ALi mini IDE Driver/Acer Laboratories Inc.) [DISABLED] AliIde
Service C:\WINDOWS\system32\DRIVERS\amdagp.sys (AMD Win2000 AGP Filter/Advanced Micro Devices, Inc.) [DISABLED] amdagp
Service system32\DRIVERS\lgandbus.sys [MANUAL] Andbus
Service system32\DRIVERS\lganddiag.sys [MANUAL] AndDiag
Service system32\DRIVERS\lgandgps.sys [MANUAL] AndGps
Service system32\DRIVERS\lgandmodem.sys [MANUAL] ANDModem
Service System32\Drivers\lgandadb.sys [MANUAL] androidusb
Service C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (MobileDeviceService/Apple Inc.) [AUTO] Apple Mobile Device
Service C:\WINDOWS\system32\DRIVERS\asc.sys (AdvanSys SCSI Controller Driver/Advanced System Products, Inc.) [DISABLED] asc
Service C:\WINDOWS\system32\DRIVERS\asc3550.sys (AdvanSys Ultra-Wide PCI SCSI Driver/Advanced System Products, Inc.) [DISABLED] asc3550
Service C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) [AUTO] Ati HotKey Poller
Service C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) [MANUAL] ati2mtag
Service Atierecord
Service C:\WINDOWS\system32\DRIVERS\atiide.sys (ATI SATA(IDE Mode) Controller Driver/ATI Technologies Inc.) [BOOT] atiide
Service C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation NDIS 5.1 ethernet driver/Broadcom Corporation) [MANUAL] bcm4sbxp
Service C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) [AUTO] Bonjour Service
Service C:\Program Files\PC Tools Security\BDT\BDTUpdateService.exe [AUTO] Browser Defender Update Service
Service C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD PCI IDE Bus Driver/CMD Technology, Inc.) [DISABLED] CmdIde
Service C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Disk Array Controller Driver/Mylex Corporation) [DISABLED] dac2w2k
Service C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys (Process Trigger Driver/GTek Technologies Ltd.) [MANUAL] DSproct
Service C:\WINDOWS\system32\DRIVERS\e100b325.sys (NDIS 5 driver/Intel Corporation) [MANUAL] E100B
Service C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) [MANUAL] GEARAspiWDM
Service C:\Program [AUTO] gupdate
Service C:\Program [MANUAL] gupdatem
Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows ® Server 2003 DDK provider) [MANUAL] HDAudBus
Service C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT
Service IKFileSec
Service IKSysFlt
Service C:\Program Files\iPod\bin\iPodService.exe (iPodService Module (32-bit)/Apple Inc.) [MANUAL] iPod Service
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java™ Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes' Anti-Malware/Malwarebytes Corporation) [MANUAL] MBAMProtector
Service C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes' Anti-Malware/Malwarebytes Corporation) [AUTO] MBAMService
Service C:\WINDOWS\system32\drivers\mbamswissarmy.sys [MANUAL] MBAMSwissArmy
Service C:\WINDOWS\system32\DRIVERS\mraid35x.sys (MegaRAID RAID Controller Driver for Windows Whistler 32/American Megatrends Inc.) [DISABLED] mraid35x
Service MSDTC Bridge 3.0.0.0
Service MSFW
Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Compatible Windows 2000 Miniport Driver, Version 258.96 /NVIDIA Corporation) [MANUAL] nv
Service C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Driver Helper Service, Version 258.96/NVIDIA Corporation) [AUTO] nvsvc
Service Outlook
Service system32\drivers\PalmUSBD.sys [MANUAL] PalmUSBD
Service C:\WINDOWS\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) [BOOT] PCTCore
Service C:\WINDOWS\system32\drivers\pctDS.sys (PC Tools Data Store/PC Tools) [BOOT] pctDS
Service C:\WINDOWS\system32\drivers\pctEFA.sys (PC Tools Extended File Attributes/PC Tools) [BOOT] pctEFA
Service C:\WINDOWS\system32\drivers\pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) [SYSTEM] pctgntdi
Service C:\WINDOWS\system32\drivers\pctplsg.sys (PC Tools SG Plugin Driver/PC Tools) [MANUAL] pctplsg
Service C:\WINDOWS\System32\Drivers\PCTSD.sys (PC Tools SD Driver/PC Tools) [SYSTEM] PCTSD
Service C:\ComboFix\pev.3XE [AUTO] PEVSystemStart
Service C:\WINDOWS\system32\drivers\pfc.sys (Padus® ASPI Shell/Padus, Inc.) [MANUAL] pfc
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\system32\DRIVERS\ql1080.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql1080
Service C:\WINDOWS\system32\DRIVERS\ql12160.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql12160
Service C:\WINDOWS\system32\DRIVERS\ql1280.sys (Miniport Driver for QLogic ISP PCI Adapters/QLogic Corporation) [DISABLED] ql1280
Service C:\Program Files\PC Tools Security\pctsAuxs.exe (PC Tools Auxiliary Service/PC Tools) [AUTO] sdAuxService
Service C:\Program Files\PC Tools Security\pctsSvc.exe (PC Tools Security Service/PC Tools) [MANUAL] sdCoreService
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv
Service C:\WINDOWS\system32\drivers\Senfilt.sys (Sensaura WDM 3D Audio Driver/Sensaura) [MANUAL] SenFiltService
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\sisagp.sys (SiS NT AGP Filter/Silicon Integrated Systems Corporation) [DISABLED] sisagp
Service SMSvcHost 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec AIC-6x60 series SCSI miniport/Adaptec, Inc.) [DISABLED] Sparrow
Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip
Service C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc. SCSI Miniport Driver/Symbios Logic Inc.) [DISABLED] symc810
Service C:\WINDOWS\system32\DRIVERS\symc8xx.sys (Symbios 8XX SCSI Miniport Driver/LSI Logic) [DISABLED] symc8xx
Service C:\WINDOWS\system32\DRIVERS\sym_hi.sys (Symbios Hi-Perf SCSI Miniport Driver/LSI Logic) [DISABLED] sym_hi
Service C:\WINDOWS\system32\DRIVERS\sym_u3.sys (Symbios Ultra3 SCSI Miniport Driver/LSI Logic) [DISABLED] sym_u3
Service C:\WINDOWS\system32\DRIVERS\tap0801.sys (TAP-Win32 Virtual Network Driver/The SHVPN Project) [MANUAL] tap0801
Service C:\WINDOWS\system32\drivers\TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools) [BOOT] TfFsMon
Service C:\WINDOWS\system32\drivers\TfNetMon.sys (ThreatFire Network Monitor/PC Tools) [MANUAL] TfNetMon
Service C:\WINDOWS\system32\drivers\TfSysMon.sys (ThreatFire System Monitor/PC Tools) [BOOT] TFSysMon
Service C:\Program [MANUAL] ThreatFire
Service C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Ultra66 Miniport Driver/Promise Technology, Inc.) [DISABLED] ultra
Service C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple Mobile Device USB Driver/Apple, Inc.) [MANUAL] USBAAPL
Service C:\WINDOWS\system32\DRIVERS\viaide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) [DISABLED] ViaIde
Service C:\WINDOWS\system32\vwsrv.exe [AUTO] vwservice
Service Windows Workflow Foundation 3.0.0.0
Service C:\Program [AUTO] winss
Service C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (AutoUpater Service Module/Yahoo! Inc.) [AUTO] YahooAUService

---- EOF - GMER 1.0.15 ----






Microsoft DiskPart version 5.1.3565

Copyright © 1999-2003 Microsoft Corporation.
On computer: DESK-CVERDOORN

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 D DVD-ROM 0 B
Volume 1 C NTFS Partition 74 GB Healthy Boot
  • 0

#10
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Looks like some bogus services running. See if you can change their startups.

Go to Start > Run and type

cmd

and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line:

sc config vwservice start= disabled

sc config winss start= disabled


Type Exit and press Enter to close the command window.

You should get confirmation the service startup has changed, so before we move on, please post back an update on how that procedure went.
  • 0

Advertisements


#11
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hey Jintan:

I followed the procedure and got a changeserivcestartup SUCCESS for both of the changes. After I typed exit and enter the window closed, but I didn't get a final confirmation or anything after that.

Thanks!
  • 0

#12
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Excellent. Reboot to Safe Mode with Networking - the reboot will reset the services. Then try TDSSKiller and ComboFix again please.
  • 0

#13
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Tried running TDSSKiller again and Combofix again with no luck. TDSS will not start still, and Combofix gets as far as scanning for infected files and then does not move forward.

On the plus side, the services.exe is now down to 125K.

Thanks.
  • 0

#14
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Let's pull one out the air for now then, until we get a better handle on what all is involved there. Since one of the malware drivers provided a name, let's also see if we can check that one.

Just go here, fill in the appropriate info, then use the Browse button to locate and "Send File" the following file:

C:\WINDOWS\system32\vwsrv.exe

Then we can get that file checked out.

-----------

The reason programs like TDSSKiller won't run is that the malware has some well hidden monitoring functions, and are basically taking the wind out of it's sails. Let's see if these malware tourists expected some other tools.

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display (agree to the warning).

With the "1-click check" tab selected, Uncheck/Check each of the boxes showing, so that only these three items are checked:

Alternate Data Streams
Object Routines
IAT hooks
IDT hooks


Then without making any other changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

Post that log back here for review please.

That still might be a corker of a log file, so if it is to much to post, zip a copy of it, and just send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files -craigrulez/g2g/radix" as the email Subject.
  • 0

#15
craigrulez

craigrulez

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Jintan:

I attempted to locate the vwsrv.exe file as requested to post it to the site, but was unable to locate it in the C:\WINDOWS\System32 folder, I also searched for it to no avail as well.

However, hopefully (fingers crossed) we may be getting somewhere now, I was able to run the Radix program, I am emailed you a copy of the log requested.

Thanks!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP