Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Google redirect infection [Solved]


  • This topic is locked This topic is locked

#1
brucers

brucers

    Member

  • Member
  • PipPip
  • 21 posts
Hi, when I do a google search I get redirected to other websites.It started just yesterday.I'm running Windows XP. AVG Free is my live anti-virus. I ran Malwarebytes and AVG free and it didn't find anything. I then found this site and I followed the intructions "How to fix Google Redirects" on this site. I began by backing up the registry with Erunt. I then tried to run OTM.exe but it wouldn't run. Also my AVG scanner would detect the OTM.exe in normal mode as a threat and asked to remove it.I then ran OTM.exe in Safe mode. OTM.exe then asked to restart the computer. I then ran GooredFix and then ran TDSSKiller. The initial scan found no threats to delete and the second scan with the changed parameters found a couple of medium risk threats which I just clicked on continue with the default "skip". I then restarted my computer in normal mode and tried a search and am still getting redirects. As I am typing this some radio broadcast just came out of nowhere and is quiet now again. Also, when I first started my computer this morning there sounded like there was a lot of activity going on so I looked in the task manager and saw a couple of processes "iexplore.exe" even though I hadn't even opened Internet explorer which is my default browser. I downloaded and ran OTL.exe and pasted the report below. Thank you for any help you can give me!

OTL logfile created on: 8/9/2012 11:25:15 AM - Run 2
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\Bruce\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.52 Gb Available Physical Memory | 77.46% Memory free
5.09 Gb Paging File | 4.38 Gb Available in Paging File | 86.15% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 134.61 Gb Free Space | 90.34% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 5.71 Gb Free Space | 76.65% Space Free | Partition Type: FAT32

Computer Name: BRUCE-765D35128 | User Name: Bruce | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/08/09 10:36:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bruce\Desktop\OTL.exe
PRC - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgidsagent.exe
PRC - [2012/06/13 03:48:26 | 000,758,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2012/06/13 03:48:24 | 001,255,544 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2012/04/05 05:12:34 | 002,587,008 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2012/03/19 05:18:12 | 000,979,840 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgemcx.exe
PRC - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2012/02/14 04:52:38 | 000,338,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2008/04/14 05:42:10 | 001,058,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/01/08 09:50:00 | 000,037,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/07/04 17:25:54 | 005,160,568 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2012/04/19 19:11:25 | 000,253,088 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/02/14 04:53:38 | 000,193,288 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/04/19 04:50:26 | 000,024,896 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\avgidshx.sys -- (AVGIDSHX)
DRV - [2012/03/19 05:17:28 | 000,301,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2012/02/22 05:25:32 | 000,235,216 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2012/01/31 04:46:50 | 000,031,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/12/23 13:32:14 | 000,041,040 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/12/23 13:32:08 | 000,017,232 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsshimx.sys -- (AVGIDSShim)
DRV - [2011/12/23 13:32:06 | 000,024,144 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsfilterx.sys -- (AVGIDSFilter)
DRV - [2011/12/23 13:32:00 | 000,139,856 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avgidsdriverx.sys -- (AVGIDSDriver)
DRV - [2006/02/09 20:57:46 | 001,502,208 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2004/09/17 09:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/23 14:49:30 | 000,121,472 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2003/12/17 09:50:00 | 000,070,801 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2003/12/17 09:50:00 | 000,051,729 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042pr2.Sys -- (L8042pr2)
DRV - [2003/12/17 09:50:00 | 000,037,887 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidUsb.sys -- (LHidUsb)
DRV - [2003/12/17 09:50:00 | 000,025,505 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/07/16 18:17:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/02 10:35:00 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2012/08/09 10:17:13 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1314513775500 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C388C4CF-FB94-4CCE-9504-77240009FACE}: DhcpNameServer = 172.16.1.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/08/28 00:04:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/08/09 10:35:37 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bruce\Desktop\OTL.exe
[2012/08/09 10:23:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\GooredFix Backups
[2012/08/09 10:22:37 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Bruce\Desktop\GooredFix.exe
[2012/08/09 10:16:28 | 000,522,240 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bruce\Desktop\OTM.exe
[2012/08/09 10:07:26 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/08/09 09:43:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/08/09 09:42:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\erunt
[2012/08/08 20:47:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\DoctorWeb
[2012/08/08 20:26:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2012/08/08 19:23:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Bruce\My Documents\My Videos
[2012/08/08 19:23:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2012/08/08 19:23:45 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Bruce\Start Menu\Programs\Administrative Tools
[2012/08/08 19:22:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Bruce\Desktop\dds.scr
[2012/08/08 18:09:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bruce\Recent
[2012/08/08 17:46:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\RK_Quarantine
[2012/08/08 15:24:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\SharpMicrowave
[2012/08/08 14:48:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\tdsskiller
[2012/07/29 15:49:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Application Data\Help
[2012/07/29 15:49:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Local Settings\Application Data\Help
[2012/07/29 13:30:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bruce\Desktop\Weber grill
[2012/07/29 09:01:26 | 000,000,000 | ---D | C] -- C:\Program Files\ATI Technologies
[2012/07/29 08:42:03 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2012/07/29 08:34:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/07/29 08:07:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/07/29 08:07:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/07/29 08:07:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2012/07/29 08:07:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2012/07/29 08:04:41 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2012/07/29 08:02:07 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/07/29 08:02:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2012/07/29 07:02:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Driver Fusion
[2012/07/29 07:02:02 | 000,000,000 | ---D | C] -- C:\Program Files\Driver Fusion
[2012/07/16 18:17:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG
[2012/07/16 08:31:17 | 000,000,000 | ---D | C] -- C:\WatchLists
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/08/09 11:21:15 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/08/09 10:36:31 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bruce\Desktop\OTL.exe
[2012/08/09 10:30:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/08/09 10:22:38 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Bruce\Desktop\GooredFix.exe
[2012/08/09 10:17:13 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/08/09 10:16:40 | 000,522,240 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bruce\Desktop\OTM.exe
[2012/08/09 10:01:38 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/09 09:47:57 | 000,149,200 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/08/09 09:43:36 | 000,509,216 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/08/09 09:43:36 | 000,089,798 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/08/09 09:42:41 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/08/09 09:42:07 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Bruce\Desktop\erunt.zip
[2012/08/08 21:16:52 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2012/08/08 20:41:51 | 091,165,152 | ---- | M] () -- C:\Documents and Settings\Bruce\Desktop\peed5dar.exe
[2012/08/08 19:22:30 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Bruce\Desktop\dds.scr
[2012/08/08 17:54:22 | 103,245,975 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/08/08 17:47:22 | 001,552,896 | ---- | M] () -- C:\Documents and Settings\Bruce\Desktop\RogueKiller.exe
[2012/08/08 10:45:23 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/08/06 18:33:29 | 000,076,418 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavichjg.avm
[2012/08/01 12:33:52 | 004,675,302 | ---- | M] () -- C:\Documents and Settings\Bruce\Desktop\UT61English.pdf
[2012/08/01 06:51:44 | 000,935,055 | ---- | M] () -- C:\Documents and Settings\Bruce\Desktop\basics_of_digital_multimeters.pdf
[2012/07/31 12:11:19 | 000,001,525 | ---- | M] () -- C:\Documents and Settings\Bruce\Application Data\Microsoft\Internet Explorer\Quick Launch\Notepad (2).lnk
[2012/07/29 08:35:41 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/07/29 08:04:32 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/07/29 07:19:39 | 000,000,010 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2012/07/29 07:02:04 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Driver Fusion.lnk
[2012/07/16 08:31:17 | 000,000,231 | ---- | M] () -- C:\broker.watch
[2012/07/14 09:45:42 | 000,027,520 | ---- | M] () -- C:\Documents and Settings\Bruce\Local Settings\Application Data\dt.dat
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/08/09 09:42:04 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Bruce\Desktop\erunt.zip
[2012/08/09 09:32:55 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/08/08 20:41:48 | 091,165,152 | ---- | C] () -- C:\Documents and Settings\Bruce\Desktop\peed5dar.exe
[2012/08/02 11:14:11 | 001,552,896 | ---- | C] () -- C:\Documents and Settings\Bruce\Desktop\RogueKiller.exe
[2012/08/01 12:33:52 | 004,675,302 | ---- | C] () -- C:\Documents and Settings\Bruce\Desktop\UT61English.pdf
[2012/08/01 06:51:44 | 000,935,055 | ---- | C] () -- C:\Documents and Settings\Bruce\Desktop\basics_of_digital_multimeters.pdf
[2012/07/29 12:52:40 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/07/29 12:52:40 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/07/29 09:01:37 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2012/07/29 08:52:36 | 000,153,758 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/07/29 08:52:36 | 000,153,758 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-57989841-1801674531-682003330-1004-0.dat
[2012/07/29 08:08:08 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2012/07/29 08:08:08 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2012/07/29 08:08:08 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2012/07/29 08:08:08 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2012/07/29 08:08:07 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2012/07/29 08:08:07 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2012/07/29 08:08:07 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2012/07/29 08:08:07 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2012/07/29 08:08:07 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2012/07/29 08:08:07 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2012/07/29 08:08:07 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2012/07/29 08:08:07 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2012/07/29 08:08:07 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2012/07/29 08:08:07 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2012/07/29 08:08:07 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2012/07/29 08:08:07 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2012/07/29 08:08:07 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2012/07/29 08:08:06 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2012/07/29 08:08:06 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2012/07/29 08:08:06 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2012/07/29 08:08:06 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2012/07/29 08:08:06 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2012/07/29 08:08:06 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2012/07/29 08:08:06 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2012/07/29 08:08:06 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2012/07/29 08:08:06 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2012/07/29 08:08:06 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2012/07/29 08:08:06 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2012/07/29 08:08:06 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2012/07/29 08:08:06 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2012/07/29 08:08:06 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2012/07/29 08:08:06 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2012/07/29 08:08:06 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2012/07/29 08:08:06 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2012/07/29 08:08:06 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2012/07/29 08:08:06 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2012/07/29 08:08:06 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2012/07/29 08:08:06 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2012/07/29 08:08:06 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2012/07/29 08:08:06 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2012/07/29 08:08:06 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2012/07/29 08:08:06 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2012/07/29 08:08:06 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2012/07/29 08:08:05 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2012/07/29 08:08:05 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2012/07/29 08:08:05 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2012/07/29 08:08:05 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2012/07/29 08:08:05 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2012/07/29 08:08:05 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2012/07/29 08:08:05 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2012/07/29 08:08:05 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2012/07/29 08:08:05 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2012/07/29 08:08:05 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2012/07/29 08:08:05 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2012/07/29 08:08:05 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2012/07/29 08:08:05 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2012/07/29 08:08:05 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2012/07/29 08:08:05 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2012/07/29 08:08:05 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2012/07/29 08:08:05 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2012/07/29 08:08:05 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2012/07/29 08:08:05 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2012/07/29 08:08:05 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2012/07/29 08:08:05 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2012/07/29 08:08:05 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2012/07/29 08:08:05 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2012/07/29 08:08:05 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2012/07/29 08:08:05 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2012/07/29 08:08:05 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2012/07/29 08:08:04 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2012/07/29 08:08:04 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2012/07/29 08:08:04 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2012/07/29 08:08:04 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2012/07/29 08:08:04 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2012/07/29 08:08:04 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2012/07/29 08:08:04 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2012/07/29 08:08:04 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2012/07/29 08:08:04 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2012/07/29 08:08:04 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2012/07/29 08:08:04 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2012/07/29 08:04:40 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2012/07/29 08:04:39 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2012/07/29 07:02:04 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Driver Fusion.lnk
[2012/07/16 08:31:17 | 000,000,231 | ---- | C] () -- C:\broker.watch
[2012/07/14 09:45:42 | 000,027,520 | ---- | C] () -- C:\Documents and Settings\Bruce\Local Settings\Application Data\dt.dat
[2012/06/14 20:02:38 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2012/01/10 20:40:58 | 000,060,304 | ---- | C] () -- C:\Documents and Settings\Bruce\g2mdlhlpx.exe
[2011/11/12 22:12:42 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/13 20:11:50 | 000,114,630 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2011/09/06 23:32:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Bruce\ngen.exe
[2011/08/28 16:39:36 | 000,000,008 | RH-- | C] () -- C:\Documents and Settings\Bruce\hwid
[2011/08/28 16:37:59 | 000,000,043 | ---- | C] () -- C:\WINDOWS\ib.ini
[2011/08/28 16:37:58 | 000,026,624 | ---- | C] () -- C:\WINDOWS\GetIe.dll
[2011/08/28 13:16:00 | 000,000,488 | ---- | C] () -- C:\WINDOWS\Cmousecc.ini
[2011/08/28 00:06:39 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/08/28 00:01:24 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/08/27 16:52:13 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/08/27 16:51:18 | 000,149,200 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== LOP Check ==========

[2012/08/09 09:53:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
[2011/09/06 07:54:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2012/08/08 17:54:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/09/06 07:55:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bruce\Application Data\AVG2012
[2012/01/02 22:11:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bruce\Application Data\Octoshape
[2011/10/06 18:06:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bruce\Application Data\webex

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome to Geeks to Go. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I provide are safe.
Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

  • Double-click on aswMBR.exe to launch the application.
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Note: There will also be a file on your desktop named MBR.dat(or similar) do not delete this for now it is a actual backup of the MBR(master boot record).

Next:

The extra.txt log created by OTL should be on your desktop, please post that in your next reply if still available. Plus any particular reason you chose to run OTL twice? Not a problem that merely curious as to why...

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • Answer to my OTL second run query.
  • aswMBR Log.
  • The OTL Extras log(if available).

  • 0

#3
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
•How is your computer performing now, any further symptoms and or problems encountered?Still being redirected.

•Answer to my OTL second run query.I can't really remember why, I think maybe it was something to do with not being able to find the Extras log and running it again to see if it would show up. Found it on the desktop anyway.

•aswMBR Log.
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-09 17:56:15
-----------------------------
17:56:15.109 OS Version: Windows 5.1.2600 Service Pack 3
17:56:15.109 Number of processors: 1 586 0x403
17:56:15.109 ComputerName: BRUCE-765D35128 UserName: Bruce
17:56:16.156 Initialize success
17:56:47.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:56:47.734 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
17:56:47.750 Disk 0 MBR read successfully
17:56:47.750 Disk 0 MBR scan
17:56:47.750 Disk 0 Windows XP default MBR code
17:56:47.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 63
17:56:47.750 Disk 0 scanning sectors +312480315
17:56:47.828 Disk 0 scanning C:\WINDOWS\system32\drivers
17:56:52.656 Service scanning
17:56:58.609 Modules scanning
17:57:02.093 Disk 0 trace - called modules:
17:57:02.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:57:02.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aefbab8]
17:57:02.109 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af23030]
17:57:02.609 Scan finished successfully
17:57:11.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
17:57:11.328 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"

•The OTL Extras log(if available).
OTL Extras logfile created on: 8/9/2012 10:58:48 AM - Run 1
OTL by OldTimer - Version 3.2.56.0 Folder = C:\Documents and Settings\Bruce\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.66 Gb Available Physical Memory | 81.87% Memory free
5.09 Gb Paging File | 4.57 Gb Available in Paging File | 89.88% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.00 Gb Total Space | 134.63 Gb Free Space | 90.35% Space Free | Partition Type: NTFS
Drive F: | 7.45 Gb Total Space | 5.71 Gb Free Space | 76.65% Space Free | Partition Type: FAT32

Computer Name: BRUCE-765D35128 | User Name: Bruce | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\WINDOWS\system32\javaw.exe" = C:\WINDOWS\system32\javaw.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Documents and Settings\Bruce\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" = C:\Documents and Settings\Bruce\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe:*:Enabled:Main program for Octoshape client
"C:\Program Files\AVG\AVG2012\avgmfapx.exe" = C:\Program Files\AVG\AVG2012\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgnsx.exe" = C:\Program Files\AVG\AVG2012\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgdiagex.exe" = C:\Program Files\AVG\AVG2012\avgdiagex.exe:*:Enabled:AVG Diagnostics 2012 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG2012\avgemcx.exe" = C:\Program Files\AVG\AVG2012\avgemcx.exe:*:Enabled:Personal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{100C8F3B-82D6-4B14-BB7A-5E8C3FF810C8}_is1" = Driver Fusion
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216027FF}" = Java™ 6 Update 27
"{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5809E7CF-4DCF-11D4-9875-00105ACE7734}" = Logitech MouseWare 9.79.1
"{6D12EC75-E7D3-4EAD-AB10-E1F3AFF94AA6}" = AVG 2012
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{B143D835-EBAF-4A39-8B31-1868FF4166C1}" = AVG 2012
"{B8971880-0060-11D8-87CB-C2A1A3E71907}_is1" = Index.dat Suite
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FDB3B167-F4FA-461D-976F-286304A57B2A}" = Adobe AIR
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"AmiBroker_is1" = AmiBroker 5.10
"ATI Display Driver" = ATI Display Driver
"AVG" = AVG 2012
"CCleaner" = CCleaner
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"InstallShield_{2E086814-7392-4E0F-ADB8-54A81E47406C}" = Broadcom Advanced Control Suite 2
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"MRU-Blaster_is1" = MRU-Blaster v1.5 (Database 3/28/2004)
"QuoteTracker_is1" = QuoteTracker
"Recuva" = Recuva
"Trader Workstation 4.0" = Trader Workstation 4.0
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 5.1.0.880

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/14/2012 12:32:40 PM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/14/2012 9:33:31 PM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2012 10:51:39 AM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2012 11:39:44 AM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/19/2012 5:06:01 PM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/27/2012 2:09:54 PM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/28/2012 10:55:31 AM | Computer Name = BRUCE-765D35128 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/5/2012 5:25:00 PM | Computer Name = BRUCE-765D35128 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18928, fault address 0x00067838.

Error - 6/11/2012 4:48:21 PM | Computer Name = BRUCE-765D35128 | Source = Application Error | ID = 1000
Description = Faulting application mbam.exe, version 1.60.0.80, faulting module
ntdll.dll, version 5.1.2600.3520, fault address 0x000101b3.

Error - 6/12/2012 4:07:40 AM | Computer Name = BRUCE-765D35128 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: PresentationCFFRasterizer, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35 . Error code = 0x80070020

[ System Events ]
Error - 8/9/2012 10:48:03 AM | Computer Name = BRUCE-765D35128 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 8/9/2012 11:04:20 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/9/2012 11:05:35 AM | Computer Name = BRUCE-765D35128 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avgldx86 Avgmfx86 Fips intelppm

Error - 8/9/2012 11:08:51 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/9/2012 11:15:35 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/9/2012 11:16:53 AM | Computer Name = BRUCE-765D35128 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avgldx86 Avgmfx86 Fips intelppm

Error - 8/9/2012 11:17:26 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/9/2012 11:18:28 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/9/2012 11:19:46 AM | Computer Name = BRUCE-765D35128 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avgldx86 Avgmfx86 Fips intelppm

Error - 8/9/2012 11:29:55 AM | Computer Name = BRUCE-765D35128 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >
  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

Still being redirected

OK and thanks for the update etc.

I can't really remember why, I think maybe it was something to do with not being able to find the Extras log and running it again to see if it would show up. Found it on the desktop anyway.

Fair play and not a problem at all as I mentioned prior.

Next:

Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update both in due course.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader 9.4.5
HiJackThis No need for this(outdated), however if you have used it recently to remove anything, do not uninstall and inform myself of such.
Java™ 6 Update 27
MRU-Blaster <-- No need for this(outdated) plus you have CCleaner installed anyway.

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

How to use ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall and Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activity and asks to reboot the system, please allow this to be done.

If you recieve an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper


When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any other symptoms and or problems encountered?
  • ComboFix Log.

  • 0

#5
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi, I uninstalled Adobe Reader, Java and MRU Blaster. I did not uninstall HijackThis as I have used it recently. I've always periodically kept my eye on whatever entries it scans and being there aren't all that many on my computer I pretty much can recognize when something shows up in there that wasn't there before. So after this infection I noticed two hosts entries that appeared that I had HijackThis fix/delete. So I haven't run Combofix yet, thought I'd better check with you first. Thank you for your help on this!
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
By all means go ahead and proceed with ComboFix per my prior post. :)
  • 0

#7
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
How is your computer performing now, any other symptoms and or problems encountered?
I'm still being redirected.

•ComboFix Log.

ComboFix 12-08-09.01 - Bruce 08/10/2012 13:53:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2886 [GMT -5:00]
Running from: c:\documents and settings\Bruce\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\vuzmaaa.tmp
c:\documents and settings\All Users\Application Data\xxlnaaa.tmp
c:\documents and settings\Bruce\g2mdlhlpx.exe
c:\documents and settings\Bruce\WINDOWS
c:\windows\expl.dat
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
.
.
2012-08-09 15:07 . 2012-08-09 15:07 -------- d-----w- C:\_OTM
2012-08-09 01:47 . 2012-08-09 01:47 -------- d-----w- c:\documents and settings\Bruce\DoctorWeb
2012-08-09 01:31 . 2012-08-09 01:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-08-09 01:31 . 2012-08-09 01:31 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-07-29 20:49 . 2012-07-29 20:49 -------- d-----w- c:\documents and settings\Bruce\Local Settings\Application Data\Help
2012-07-29 17:57 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-07-29 17:57 . 2012-05-11 14:42 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-07-29 17:56 . 2012-05-02 13:46 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-07-29 17:53 . 2012-05-28 18:16 536576 -c----w- c:\windows\system32\dllcache\msado15.dll
2012-07-29 17:52 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-07-29 17:52 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-07-29 17:52 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-07-29 17:52 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-07-29 14:01 . 2006-02-10 02:05 520192 ------w- c:\windows\system32\ati2sgag.exe
2012-07-29 14:01 . 2012-07-29 14:01 -------- d-----w- c:\program files\ATI Technologies
2012-07-29 13:51 . 2006-02-10 01:39 860352 -c--a-w- c:\windows\system32\dllcache\ativvaxx.dll
2012-07-29 13:51 . 2006-02-10 01:39 860352 ----a-w- c:\windows\system32\ativvaxx.dll
2012-07-29 13:42 . 2012-07-29 13:42 -------- d-----w- c:\program files\Microsoft.NET
2012-07-29 13:08 . 2012-06-05 15:50 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2012-07-29 13:08 . 2008-04-14 03:57 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2012-07-29 13:05 . 2008-04-14 10:42 294912 ------w- c:\program files\Windows Media Player\dlimport.exe
2012-07-29 13:02 . 2012-07-29 13:02 -------- d-----w- c:\windows\EHome
2012-07-29 12:02 . 2012-07-29 13:52 -------- d-----w- c:\program files\Driver Fusion
2012-07-16 13:39 . 2012-07-16 13:39 -------- d-----w- c:\windows\system32\wbem\Repository
2012-07-16 13:31 . 2012-07-16 13:31 -------- d-----w- C:\WatchLists
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 18:46 . 2011-08-29 02:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-05 15:50 . 2009-08-19 22:07 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-12 14:01 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-02 20:19 . 2009-08-07 00:24 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 20:19 . 2011-08-28 05:02 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 20:19 . 2011-08-28 05:02 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 20:19 . 2011-08-28 05:02 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 20:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 20:19 . 2011-08-28 05:02 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 20:19 . 2011-08-28 05:02 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 20:19 . 2009-08-07 00:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 20:19 . 2009-08-07 00:24 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 20:19 . 2004-08-12 13:56 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 20:19 . 2009-08-07 00:24 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 20:19 . 2011-08-28 05:02 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 20:19 . 2011-08-28 05:02 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 20:18 . 2011-08-29 01:16 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 20:18 . 2011-08-29 01:16 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 20:18 . 2011-08-29 01:16 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2004-08-12 13:56 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-12 14:09 916992 ----a-w- c:\windows\system32\wininet.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . FA509FDFA9BFE4C054CDB68F2F0DB225 . 544768 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
[7] 2004-08-12 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 . 4F889B6D995305766816A2339F8A17F2 . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
[7] 2004-08-12 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 . 5AF88FED800D28DEC826D60D7EEECF1A . 1058304 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
[7] 2004-08-12 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"ATIModeChange"="Ati2mdxx.exe" [2006-02-10 26112]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^Bruce^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=c:\documents and settings\Bruce\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=c:\windows\pss\Check for TWS Updates.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2006-02-10 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 19:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [4/19/2012 4:50 AM 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/11/2011 1:13 AM 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/11/2011 1:13 AM 235216]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 301248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\avgidsagent.exe [7/4/2012 5:25 PM 5160568]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2/14/2012 4:53 AM 193288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [12/23/2011 1:32 PM 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [12/23/2011 1:32 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [12/23/2011 1:32 PM 17232]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/19/2012 7:11 PM 253088]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 172.16.1.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Eraser - c:\progra~1\Eraser\Eraser.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-10 13:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,d8,ef,a4,9e,ca,ad,45,ae,0e,21,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,d8,ef,a4,9e,ca,ad,45,ae,0e,21,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3656)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Logitech\MouseWare\system\em_exec.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\AVG\AVG2012\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2012-08-10 14:02:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-10 19:02
.
Pre-Run: 144,105,598,976 bytes free
Post-Run: 144,582,361,088 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 7F7F73632ACD718A2A599E5254B346A5
  • 0

#8
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

I'm still being redirected.

That is because your machine appears to be infected with a version of the bamital infection. Quite a nasty piece of malware all told that patches certain system critical files for example, hence the symptoms your machine is currently exhibiting.

Please ensure you follow the sequence below in the exact order they are in and with the aswMBR re-scan, the option to use the Avast! Free Antivirus for scanning is selected...

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl
Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Custom ComboFix-Script:

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    KillAll::
    
    FCopy::
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\system32\dllcache\explorer.exe
    c:\windows\ServicePackFiles\i386\explorer.exe | C:\windows\explorer.exe
    c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\dllcache\winlogon.exe
    c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
    c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\dllcache\svchost.exe
    c:\windows\ServicePackFiles\i386\svchost.exe | c:\windows\system32\svchost.exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Ati HotKey Poller"=-
    
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    
    ReBoot::
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It will reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Caution: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Re-scan with aswMBR:

  • Double-click on aswMBR.exe to launch the application.
  • When prompted with The application can use the Avast! Free Antivirus for scanning >> select Yes
  • Now click on the Scan button to start scan
  • On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply
Malwarebytes Anti-Malware:

  • Launch the application, Check for Updates >> Perform quick scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

  • How is your computer performing now, any further symptoms and or problems encountered?
  • New ComboFix Log.
  • New aswMBR Log.
  • Malwarebytes Anti-Malware Log.

  • 0

#9
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,I followed the steps in the correct order and on about Stage 3 of the ComboFix scan a Windows Explorer error window came up stating "Windows Explorer has encountered a problem and needs to close" I did not click on anything such as "Send error report" or "Don't send" and I just let ComboFix finish running and then it rebooted. When windows came back up there were no icons or taskbar-- nothing at all except the Windows Explorer error message which I then clicked on "don't send" and it went away. So I tried rebooting again by just operating the power button, but same results. Then I tried in Safe mode with same results. So I booted one more time in standard mode and this time I pressed {ctrl, alt, delete} to bring up the task manager. I then clicked on "File" then "New Task(Run)" and luckily I remembered the process name to bring up the browser which I did by typing in "iexplore.exe" . So there was no Combolog to post. I'll just post this for now. I'm trying to use the task manager to browse the files to see if I can find the logfile. Also should be able to run aswMBR.exe
  • 0

#10
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
OK, so I can browse the windows explorer through the task manager and found the C:\ComboFix\ComboFix.txt. There's not much in it.

ComboFix 12-08-09.01 - Bruce 08/11/2012 9:53:32.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2911 [GMT -5:00]
Running from: C:\Documents and Settings\Bruce\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bruce\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


Then I browsed for "C:\Documents and Settings\Bruce\Desktop\aswMBR.exe" and ran it. Here's the log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-09 17:56:15
-----------------------------
17:56:15.109 OS Version: Windows 5.1.2600 Service Pack 3
17:56:15.109 Number of processors: 1 586 0x403
17:56:15.109 ComputerName: BRUCE-765D35128 UserName: Bruce
17:56:16.156 Initialize success
17:56:47.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:56:47.734 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
17:56:47.750 Disk 0 MBR read successfully
17:56:47.750 Disk 0 MBR scan
17:56:47.750 Disk 0 Windows XP default MBR code
17:56:47.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 63
17:56:47.750 Disk 0 scanning sectors +312480315
17:56:47.828 Disk 0 scanning C:\WINDOWS\system32\drivers
17:56:52.656 Service scanning
17:56:58.609 Modules scanning
17:57:02.093 Disk 0 trace - called modules:
17:57:02.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:57:02.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aefbab8]
17:57:02.109 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af23030]
17:57:02.609 Scan finished successfully
17:57:11.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
17:57:11.328 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-11 11:08:19
-----------------------------
11:08:19.046 OS Version: Windows 5.1.2600 Service Pack 3
11:08:19.046 Number of processors: 1 586 0x403
11:08:19.046 ComputerName: BRUCE-765D35128 UserName: Bruce
11:08:20.078 Initialize success
11:11:14.171 AVAST engine defs: 12081100
11:12:33.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
11:12:33.765 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
11:12:33.781 Disk 0 MBR read successfully
11:12:33.781 Disk 0 MBR scan
11:12:33.812 Disk 0 Windows XP default MBR code
11:12:33.812 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152578 MB offset 63
11:12:33.812 Disk 0 scanning sectors +312480315
11:12:33.890 Disk 0 scanning C:\WINDOWS\system32\drivers
11:12:42.875 Service scanning
11:12:54.234 Modules scanning
11:12:57.062 Disk 0 trace - called modules:
11:12:57.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
11:12:57.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af38ab8]
11:12:57.593 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af49030]
11:12:58.015 AVAST engine scan C:\WINDOWS
11:13:04.765 AVAST engine scan C:\WINDOWS\system32
11:15:08.187 AVAST engine scan C:\WINDOWS\system32\drivers
11:15:19.546 AVAST engine scan C:\Documents and Settings\Bruce
11:16:43.093 AVAST engine scan C:\Documents and Settings\All Users
11:17:01.171 Scan finished successfully
11:19:11.593 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
11:19:11.593 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"

Then I browsed for "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" and ran it. Here's the log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.11.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Bruce :: BRUCE-765D35128 [administrator]

8/11/2012 11:22:27 AM
mbam-log-2012-08-11 (11-22-27).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 173522
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
  • 0

Advertisements


#11
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I've got my Outlook Express mail program up and running now too so look forward to hearing from you! :)
  • 0

#12
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Also, now that windows explorer is disabled, I am not getting any redirects in my google search links. And no random audio broadcasts.
  • 0

#13
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

My apologies for the delay...

Unfortunately the infection we have been dealing with can have somewhat unpredictable results at times when trying to eradicate.

Anyway lets see what can be done to rectify the current situation as follows...

Next:

Launch Task Manager via Ctrl + Shift + Esc >> Click on File > New Task (Run...).

Type in control and press Enter >> double-click on the Folder Option icon >> Click on the View tab

Now click on the Reset Folders button >> then on Apply >> OK

Reboot(restart) your machine and let myself know in your next reply if still the same issue or not and we will go from there, thank you.
  • 0

#14
brucers

brucers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
OK, when I type in "control" and press enter I get the error message "Windows Explorer has encountered a problem and needs to close".
  • 0

#15
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,665 posts
Hi. :)

OK, when I type in "control" and press enter I get the error message "Windows Explorer has encountered a problem and needs to close".

We will merely try something else...

Launch Task Manager via Ctrl + Shift + Esc >> Click on File >> New Task (Run...).

Type in sfc /scannow and press Enter .

Note: This will take some time. Also you may be prompted to place your XP installation CD-ROM in the Optical-Drive if required.

Reboot(restart) your machine afterwards and let myself know in your next reply if still the same issue or not and we will go from there, thank you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP