Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Re-direct Problem [Solved]

Started by ray-z , Jan 01 2010 06:40 AM

  • This topic is locked This topic is locked

#16
ray-z
Posted 07 January 2010 - 03:54 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here you go, Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 7, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 07, 2010 17:09:46
Records in database: 3330360
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 136855
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:53:49


File name / Threat / Threats count
C:\Windows\System32\tdlcmd.dll Infected: Packed.Win32.TDSS.z 1

Selected area has been scanned.
  • 0

Advertisements

#17
Rorschach112
Posted 07 January 2010 - 04:19 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes

:Services

:Reg

:Files
C:\Windows\System32\tdlcmd.dll

:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



update mbam run a quick scan post that log



also re-download combofix and try run it again
  • 0

#18
ray-z
Posted 07 January 2010 - 05:06 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Right, here's the OTM log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
LoadLibrary failed for C:\Windows\System32\tdlcmd.dll
File move failed. C:\Windows\System32\tdlcmd.dll scheduled to be moved on reboot.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Asma
->Temp folder emptied: 91225943 bytes
->Temporary Internet Files folder emptied: 3943780 bytes
->Java cache emptied: 128013 bytes
->FireFox cache emptied: 94029176 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 2190 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 181.00 mb


OTM by OldTimer - Version 3.1.4.0 log created on 01072010_223112

Files moved on Reboot...
File C:\Windows\System32\tdlcmd.dll not found!
C:\Users\Asma\AppData\Local\Temp\ehmsas.txt moved successfully.
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
  • 0

#19
ray-z
Posted 07 January 2010 - 05:07 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
And here's the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6000
Internet Explorer 7.0.6000.16764

07/01/2010 22:56:09
mbam-log-2010-01-07 (22-56-09).txt

Scan type: Quick Scan
Objects scanned: 99762
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\tdlcmd.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
  • 0

#20
Rorschach112
Posted 07 January 2010 - 05:28 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you get CF working ?
  • 0

#21
ray-z
Posted 07 January 2010 - 05:40 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Just been trying ComboFix, but same problems as before - BSOD. Tried renaming and running in Safe Mode but again BSOD.
  • 0

#22
Rorschach112
Posted 07 January 2010 - 05:42 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.



Please download Dr.Web CureIt . Save it to your desktop:
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
  • This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
  • Click the green arrow Posted Image at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
  • Please post the Dr.Web.txt report in your next reply
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.
  • 0

#23
ray-z
Posted 10 January 2010 - 04:42 AM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi

I ran TDSKiller, which performed a scan and found some infections, which I asked it to delete. It didn't create a Log file (One of the lines said 'Start Log Failed'). I then rebooted and tried again - once more no log file, but no infections either.

I then ran Dr Web. It also found some infections during the quick scan which were cured, and some more infections during the full scan. I tried to save a log file but I got a BSOD and Vista had to restart.

I repeated a Dr Web scan and no infections during quick scan, but again BSOD when trying to save log file.

Third time I didn't try to save the log file, but I've attached a screenshot of the results for you (Word doc renamed to .txt)

Cheers

Attached Files


  • 0

#24
Rorschach112
Posted 10 January 2010 - 07:43 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
any redirects ?
  • 0

#25
ray-z
Posted 10 January 2010 - 09:17 AM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi

I've just done a search in Google and clicked on the first 18 hits - not a single re-direct! Looks like the problem is solved...but is there any way to be absolutely certain? I'm still a little wary!

Cheers
  • 0

Advertisements

#26
Rorschach112
Posted 10 January 2010 - 11:36 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
can you download a new version of combofix and run it once more


also update mbam run a quick scan post that log


and do this

[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  • 0

#27
ray-z
Posted 10 January 2010 - 12:36 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Well here's one I made earlier...

I ran a MBAM scan not long ago, results below. Will try the other 2 suggestions next

Malwarebytes' Anti-Malware 1.44
Database version: 3535
Windows 6.0.6000
Internet Explorer 7.0.6000.16764

10/01/2010 17:39:56
mbam-log-2010-01-10 (17-39-56).txt

Scan type: Quick Scan
Objects scanned: 99866
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\$RECYCLE.BIN\S-1-5-21-202082734-3936567923-2657742524-1000\$RN3F8XX.com\Combo-Fix.sys (Malware.Trace) -> Quarantined and deleted successfully.
  • 0

#28
ray-z
Posted 10 January 2010 - 01:20 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Success - managed to get Combofix to work! Here's the Combofix.txt log:

ComboFix 10-01-04.01 - Asma 10/01/2010 19:01:06.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1021.440 [GMT 0:00]
Running from: c:\users\Asma\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100110-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1368 [VPS 100110-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3792612996-4052778812-2067057863-500
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

.
((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-10 19:08 . 2010-01-10 19:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-10 18:59 . 2010-01-10 18:59 -------- d-----w- C:\32788R22FWJFW
2010-01-09 10:26 . 2010-01-09 11:22 -------- d-----w- c:\users\Asma\DoctorWeb
2010-01-07 22:45 . 2010-01-07 22:45 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:31 . 2010-01-07 22:31 -------- d-----w- C:\_OTM
2010-01-03 22:21 . 2010-01-03 22:21 -------- d-----w- C:\_OTL
2009-12-31 23:26 . 2010-01-10 17:09 52224 ----a-w- c:\users\Asma\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 23:26 . 2010-01-10 17:09 117760 ----a-w- c:\users\Asma\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-31 23:25 . 2009-12-31 23:25 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-31 23:24 . 2010-01-06 19:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-31 23:24 . 2009-12-31 23:24 -------- d-----w- c:\users\Asma\AppData\Roaming\SUPERAntiSpyware.com
2009-12-31 23:23 . 2009-12-31 23:23 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-31 21:32 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-12-31 21:32 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-12-31 21:32 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-12-31 21:32 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-12-31 21:32 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-12-31 21:31 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-12-31 21:31 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-12-31 21:31 . 2009-12-31 21:31 -------- d-----w- c:\program files\Alwil Software
2009-12-31 20:06 . 2009-12-31 20:06 -------- d-----w- c:\users\Asma\AppData\Roaming\Malwarebytes
2009-12-31 20:06 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 20:06 . 2009-12-31 20:06 -------- d-----w- c:\programdata\Malwarebytes
2009-12-31 20:06 . 2010-01-07 22:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 20:06 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 17:11 . 2009-12-31 17:11 -------- d-----w- c:\program files\MediaInfo
2009-12-16 20:18 . 2009-12-16 20:18 -------- d-----w- c:\programdata\Norton

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 17:43 . 2009-11-02 23:24 61652 ----a-w- c:\programdata\nvModes.dat
2010-01-10 17:41 . 2007-01-25 15:19 1660 ----a-w- c:\windows\bthservsdp.dat
2010-01-10 03:07 . 2009-01-03 19:16 -------- d-----w- c:\users\Asma\AppData\Roaming\uTorrent
2010-01-07 23:51 . 2008-07-17 02:10 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 23:48 . 2010-01-07 23:48 21560 ----a-w- c:\windows\system32\drivers\atapi.tsk
2010-01-06 23:58 . 2007-08-06 22:18 578 ----a-w- c:\users\Asma\AppData\Roaming\wklnhst.dat
2009-12-31 23:01 . 2007-08-08 19:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-31 23:01 . 2007-08-08 19:57 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-31 21:20 . 2007-01-25 15:51 -------- d-----w- c:\programdata\Symantec
2009-12-31 21:20 . 2007-01-25 15:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 16:41 . 2009-11-02 22:50 -------- d-----w- c:\users\Asma\AppData\Roaming\vlc
2009-12-02 21:51 . 2009-12-02 21:51 -------- d-----w- c:\users\Asma\AppData\Roaming\Foxit Software
2009-11-02 20:42 . 2009-10-03 00:56 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-02 20:22 . 2007-07-25 00:06 31966 ----a-w- c:\users\Asma\AppData\Roaming\nvModes.dat
2009-10-21 10:15 . 2009-10-21 10:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-07-24 23:00 . 2007-07-24 23:00 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

[-] 2010-01-07 23:51 . 49AB04810A7CD83213918F1EDA10A5B6 . 21560 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2008-07-17 . B35CFCEF838382AB6490B321C87EDF17 . 21560 . . [6.0.6000.16632] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[7] 2008-01-19 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\SoftwareDistribution\Download\df81987ce1972154ab659b2f560f1610\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-06 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Asma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SynTPEnh - Shortcut.lnk - c:\program files\Synaptics\SynTP\SynTPEnh.exe [2008-3-28 1045800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2006-11-28 23:42 46704 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbkbmgr.exe]
2007-04-26 11:02 74672 ----a-w- c:\program files\Lexmark X1100 Series\LXBKbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [31/12/2009 21:32 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 16:26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 16:26 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [31/12/2009 21:32 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [31/12/2009 21:31 53328]
R2 lxbk_device;lxbk_device;c:\windows\system32\lxbkcoms.exe -service --> c:\windows\system32\lxbkcoms.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 16:27 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\User_Feed_Synchronization-{0E800DBF-F860-49BE-9326-697C915EC59E}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZK
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Asma\AppData\Roaming\Mozilla\Firefox\Profiles\u0j7g3rn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 19:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi]
"ImagePath"="system32\Drivers\atapi.tsk"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-10 19:11:30
ComboFix-quarantined-files.txt 2010-01-10 19:11

Pre-Run: 28,996,890,624 bytes free
Post-Run: 29,021,200,384 bytes free

- - End Of File - - 4EB743817F87797A6F8BDAB9522DFAAD
  • 0

#29
ray-z
Posted 10 January 2010 - 01:28 PM

ray-z

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
And here's the OTL log. Looking forward to getting the green light!

OTL logfile created on: 10/01/2010 19:22:31 - Run 2
OTL by OldTimer - Version 3.1.20.1 Folder = C:\Users\Asma\Desktop
Windows Vista Home Premium Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6000.16764)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,021.00 Mb Total Physical Memory | 133.00 Mb Available Physical Memory | 13.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 106.53 Gb Total Space | 27.07 Gb Free Space | 25.41% Space Free | Partition Type: NTFS
Drive D: | 5.26 Gb Total Space | 1.14 Gb Free Space | 21.59% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ASMA-LAPTOP
Current User Name: Asma
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/06 19:35:39 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/01/01 02:51:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTL.exe
PRC - [2009/11/24 23:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/16 20:13:04 | 00,908,280 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2008/12/04 02:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\nvvsvc.exe
PRC - [2008/10/29 06:20:29 | 02,923,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/03/28 02:06:00 | 00,095,528 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2008/03/28 02:05:00 | 01,045,800 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/08/07 19:30:21 | 01,006,264 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2007/04/26 11:01:46 | 00,537,520 | ---- | M] ( ) -- C:\Windows\System32\lxbkcoms.exe
PRC - [2006/11/24 23:34:20 | 00,118,877 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
PRC - [2006/11/24 23:34:16 | 00,270,431 | ---- | M] () -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
PRC - [2006/11/03 16:55:50 | 00,703,280 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/03 16:55:48 | 01,583,920 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
PRC - [2006/10/19 21:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2006/06/27 16:21:14 | 01,449,984 | ---- | M] (Time Information Services Ltd.) -- C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
PRC - [2006/06/09 10:37:18 | 00,471,552 | ---- | M] (Nokia Corporation) -- C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
PRC - [2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
PRC - [2006/05/02 22:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe


========== Modules (SafeList) ==========

MOD - [2010/01/01 02:51:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTL.exe
MOD - [2006/11/03 16:46:24 | 00,126,976 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2006/11/02 09:38:57 | 01,648,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 23:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 23:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 23:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 23:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/12/04 02:42:00 | 00,203,296 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Windows\System32\nvvsvc.exe -- (nvsvc)
SRV - [2008/02/19 13:10:24 | 00,504,104 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/02/18 11:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/08/07 19:30:20 | 00,265,912 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/07/24 15:17:08 | 00,229,376 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2007/04/26 11:01:46 | 00,537,520 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxbkcoms.exe -- (lxbk_device)
SRV - [2006/11/28 22:10:12 | 00,063,080 | ---- | M] (Hewlett-Packard) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service)
SRV - [2006/11/24 23:34:20 | 00,118,877 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2006/11/24 23:34:16 | 00,270,431 | ---- | M] () [Auto | Running] -- C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2006/11/06 21:31:14 | 00,887,544 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2006/11/02 12:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/11/01 19:17:32 | 00,073,728 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2006/10/19 21:52:24 | 00,061,440 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService)
SRV - [2006/08/04 17:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) [Auto | Stopped] -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2006/06/26 17:50:08 | 00,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2006/06/05 13:59:18 | 00,174,080 | ---- | M] (Nokia.) [On_Demand | Running] -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- (ServiceLayer)
SRV - [2006/05/02 22:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2004/10/22 11:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.co...en-US:official"
FF - prefs.js..keyword.URL: "http://www.google.co...eling Lucky&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 22:48:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/02 21:03:11 | 00,000,000 | ---D | M]

[2008/10/27 11:29:52 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Mozilla\Extensions
[2007/07/25 00:01:00 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Mozilla\Firefox\Profiles\u0j7g3rn.default\extensions
[2009/12/27 13:56:27 | 00,002,443 | ---- | M] () -- C:\Users\Asma\AppData\Roaming\Mozilla\Firefox\Profiles\u0j7g3rn.default\searchplugins\youtube---videos.xml
[2010/01/09 20:00:44 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/09/02 10:45:55 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
[2009/11/02 21:02:01 | 00,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/10/16 18:18:41 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/10/16 18:18:41 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/10/16 18:18:41 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/10/16 18:18:41 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (806 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKCU..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKCU..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnce: [Launcher] C:\Windows\SMINST\Launcher.exe (soft thinks)
O4 - Startup: C:\Users\Asma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SynTPEnh - Shortcut.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 21:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/01/10 19:11:39 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/01/10 19:11:33 | 00,000,000 | ---D | C] -- C:\Windows\temp
[2010/01/10 18:59:36 | 00,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/01/09 10:26:21 | 00,000,000 | ---D | C] -- C:\Users\Asma\DoctorWeb
[2010/01/07 23:47:13 | 00,137,480 | ---- | C] (Kaspersky Lab) -- C:\Users\Asma\Desktop\TDSSKiller.exe
[2010/01/07 22:31:12 | 00,000,000 | ---D | C] -- C:\_OTM
[2010/01/07 22:24:54 | 00,452,096 | ---- | C] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTM.exe
[2010/01/06 19:12:42 | 00,410,624 | ---- | C] (OldTimer Tools) -- C:\Users\Asma\Desktop\TFC.exe
[2010/01/04 19:10:29 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/01/04 19:10:29 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/01/04 19:10:29 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/01/04 19:10:29 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/01/04 19:10:13 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/01/04 19:09:38 | 00,000,000 | ---D | C] -- C:\Qoobox
[2010/01/03 22:21:53 | 00,000,000 | ---D | C] -- C:\_OTL
[2010/01/01 02:51:00 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTL.exe
[2009/12/31 23:25:50 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/31 23:24:23 | 00,000,000 | ---D | C] -- C:\Users\Asma\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/31 23:24:23 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/31 23:23:09 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/31 21:32:11 | 00,023,120 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2009/12/31 21:32:10 | 00,048,560 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2009/12/31 21:32:08 | 00,097,480 | ---- | C] (ALWIL Software) -- C:\Windows\System32\AvastSS.scr
[2009/12/31 21:32:07 | 00,114,768 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2009/12/31 21:32:07 | 00,020,560 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2009/12/31 21:31:44 | 01,280,480 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2009/12/31 21:31:44 | 00,053,328 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2009/12/31 21:31:37 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/12/31 20:06:40 | 00,000,000 | ---D | C] -- C:\Users\Asma\AppData\Roaming\Malwarebytes
[2009/12/31 20:06:34 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/31 20:06:32 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/31 20:06:31 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/31 20:06:31 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/31 20:03:58 | 00,000,000 | ---D | C] -- C:\Users\Asma\Desktop\Virus Cleaning
[2009/12/31 17:11:29 | 00,000,000 | ---D | C] -- C:\Program Files\MediaInfo
[2007/08/26 18:46:05 | 00,413,696 | ---- | C] ( ) -- C:\Windows\System32\lxbkinpa.dll
[2007/08/26 18:46:05 | 00,397,312 | ---- | C] ( ) -- C:\Windows\System32\lxbkiesc.dll
[2007/08/26 18:46:05 | 00,323,584 | ---- | C] ( ) -- C:\Windows\System32\LXBKhcp.dll
[2007/08/26 18:46:04 | 00,991,232 | ---- | C] ( ) -- C:\Windows\System32\lxbkusb1.dll
[2007/08/26 18:46:03 | 01,224,704 | ---- | C] ( ) -- C:\Windows\System32\lxbkserv.dll
[2007/08/26 18:46:03 | 00,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxbkpmui.dll
[2007/08/26 18:46:03 | 00,163,840 | ---- | C] ( ) -- C:\Windows\System32\lxbkprox.dll
[2007/08/26 18:46:03 | 00,094,208 | ---- | C] ( ) -- C:\Windows\System32\lxbkpplc.dll
[2007/08/26 18:46:02 | 00,585,728 | ---- | C] ( ) -- C:\Windows\System32\lxbklmpm.dll
[2007/08/26 18:46:01 | 00,696,320 | ---- | C] ( ) -- C:\Windows\System32\lxbkhbn3.dll
[2007/08/26 18:46:00 | 00,684,032 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomc.dll
[2007/08/26 18:46:00 | 00,421,888 | ---- | C] ( ) -- C:\Windows\System32\lxbkcomm.dll
[2007/07/04 20:28:52 | 00,176,128 | ---- | C] ( ) -- C:\Windows\System32\csnp2uvc.dll

========== Files - Modified Within 14 Days ==========

[2010/01/10 19:25:09 | 03,407,872 | -HS- | M] () -- C:\Users\Asma\NTUSER.DAT
[2010/01/10 19:09:08 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2010/01/10 18:51:12 | 03,819,182 | R--- | M] () -- C:\Users\Asma\Desktop\ComboFix.exe
[2010/01/10 18:42:28 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/10 18:42:28 | 00,003,200 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/10 17:43:30 | 00,061,652 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2010/01/10 17:43:30 | 00,061,652 | ---- | M] () -- C:\ProgramData\nvModes.001
[2010/01/10 17:42:34 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/10 17:42:23 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/10 17:42:18 | 10,717,02016 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/10 17:41:21 | 00,001,660 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/01/10 17:40:39 | 02,005,421 | -H-- | M] () -- C:\Users\Asma\AppData\Local\IconCache.db
[2010/01/10 16:52:34 | 00,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{0E800DBF-F860-49BE-9326-697C915EC59E}.job
[2010/01/09 11:33:49 | 00,000,806 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/01/09 10:14:36 | 27,115,424 | ---- | M] () -- C:\Users\Asma\Desktop\drweb-cureit.exe
[2010/01/08 23:01:03 | 00,049,152 | ---- | M] () -- C:\Windows\ocsetup_install_NetFx3.etl
[2010/01/08 23:01:02 | 00,016,384 | ---- | M] () -- C:\Windows\ocsetup_cbs_install_NetFx3.perf
[2010/01/08 23:01:02 | 00,016,384 | ---- | M] () -- C:\Windows\ocsetup_cbs_install_NetFx3.dpx
[2010/01/07 23:51:34 | 00,021,560 | ---- | M] () -- C:\Windows\System32\drivers\atapi.sys
[2010/01/07 23:48:22 | 00,021,560 | ---- | M] () -- C:\Windows\System32\drivers\atapi.tsk
[2010/01/07 23:46:39 | 00,120,283 | ---- | M] () -- C:\Users\Asma\Desktop\tdsskiller.zip
[2010/01/07 23:04:31 | 00,720,952 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/07 23:04:31 | 00,626,246 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/07 23:04:31 | 00,109,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/07 22:25:13 | 00,452,096 | ---- | M] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTM.exe
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/06 23:58:00 | 00,000,578 | ---- | M] () -- C:\Users\Asma\AppData\Roaming\wklnhst.dat
[2010/01/06 11:43:01 | 00,005,632 | ---- | M] () -- C:\Users\Asma\Desktop\home stuff.wps
[2010/01/04 10:56:58 | 00,000,549 | ---- | M] () -- C:\Windows\Lexstat.ini
[2010/01/01 02:51:02 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\Asma\Desktop\OTL.exe
[2009/12/31 23:26:12 | 00,000,949 | ---- | M] () -- C:\Users\Asma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SynTPEnh - Shortcut.lnk
[2009/12/31 23:24:36 | 00,000,902 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/31 21:32:11 | 00,001,849 | ---- | M] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2009/12/31 21:32:06 | 00,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2009/12/31 20:06:36 | 00,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 20:00:22 | 00,000,913 | ---- | M] () -- C:\Users\Asma\Desktop\SynTPEnh - Shortcut.lnk
[2009/12/31 19:51:56 | 00,410,624 | ---- | M] (OldTimer Tools) -- C:\Users\Asma\Desktop\TFC.exe
[2009/12/27 20:17:40 | 00,091,648 | ---- | M] () -- C:\Users\Asma\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== Files Created - No Company Name ==========

[2010/01/10 18:51:04 | 03,819,182 | R--- | C] () -- C:\Users\Asma\Desktop\ComboFix.exe
[2010/01/09 10:01:35 | 27,115,424 | ---- | C] () -- C:\Users\Asma\Desktop\drweb-cureit.exe
[2010/01/07 23:48:22 | 00,021,560 | ---- | C] () -- C:\Windows\System32\drivers\atapi.tsk
[2010/01/07 23:46:35 | 00,120,283 | ---- | C] () -- C:\Users\Asma\Desktop\tdsskiller.zip
[2010/01/07 23:33:32 | 10,717,02016 | -HS- | C] () -- C:\hiberfil.sys
[2010/01/06 11:43:01 | 00,005,632 | ---- | C] () -- C:\Users\Asma\Desktop\home stuff.wps
[2010/01/04 19:10:29 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2010/01/04 19:10:29 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/01/04 19:10:29 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/01/04 19:10:29 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/01/04 19:10:29 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/12/31 23:26:12 | 00,000,949 | ---- | C] () -- C:\Users\Asma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SynTPEnh - Shortcut.lnk
[2009/12/31 23:24:36 | 00,000,902 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/31 21:32:11 | 00,001,849 | ---- | C] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2009/12/31 21:31:44 | 00,380,928 | ---- | C] () -- C:\Windows\System32\actskin4.ocx
[2009/12/31 20:06:36 | 00,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/31 20:00:22 | 00,000,913 | ---- | C] () -- C:\Users\Asma\Desktop\SynTPEnh - Shortcut.lnk
[2009/11/02 23:24:25 | 00,061,652 | ---- | C] () -- C:\ProgramData\nvModes.dat
[2009/11/02 23:24:25 | 00,061,652 | ---- | C] () -- C:\ProgramData\nvModes.001
[2009/06/09 16:16:42 | 03,482,240 | ---- | C] () -- C:\Windows\System32\drivers\snp2uvc.sys
[2009/02/11 16:45:02 | 00,027,264 | ---- | C] () -- C:\Windows\System32\drivers\sncduvc.sys
[2009/01/05 15:44:10 | 00,000,453 | ---- | C] () -- C:\Windows\bdoscandellang.ini
[2008/07/17 02:10:40 | 00,021,560 | ---- | C] () -- C:\Windows\System32\drivers\atapi.sys
[2008/04/10 21:49:28 | 00,213,632 | ---- | C] () -- C:\Users\Asma\AppData\Roaming\NMM-MetaData.db
[2007/12/09 02:38:41 | 00,000,124 | ---- | C] () -- C:\Windows\wininit.ini
[2007/11/23 19:47:31 | 00,000,680 | ---- | C] () -- C:\Users\Asma\AppData\Local\d3d9caps.dat
[2007/10/01 22:21:37 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2007/09/22 22:52:12 | 00,000,000 | ---- | C] () -- C:\ProgramData\LauncherAccess.dt
[2007/08/26 18:52:00 | 00,000,549 | ---- | C] () -- C:\Windows\Lexstat.ini
[2007/08/26 18:46:05 | 00,274,432 | ---- | C] () -- C:\Windows\System32\LXBKinst.dll
[2007/08/26 18:46:04 | 00,413,696 | ---- | C] () -- C:\Windows\System32\lxbkutil.dll
[2007/08/06 22:18:57 | 00,000,578 | ---- | C] () -- C:\Users\Asma\AppData\Roaming\wklnhst.dat
[2007/07/25 23:46:13 | 00,091,648 | ---- | C] () -- C:\Users\Asma\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/25 00:06:15 | 00,031,966 | ---- | C] () -- C:\Users\Asma\AppData\Roaming\nvModes.001
[2007/07/25 00:06:14 | 00,031,966 | ---- | C] () -- C:\Users\Asma\AppData\Roaming\nvModes.dat
[2007/07/24 21:54:36 | 00,000,000 | ---- | C] () -- C:\Users\Asma\AppData\Local\QSwitch.txt
[2007/07/24 21:54:36 | 00,000,000 | ---- | C] () -- C:\Users\Asma\AppData\Local\DSwitch.txt
[2007/07/24 21:54:36 | 00,000,000 | ---- | C] () -- C:\Users\Asma\AppData\Local\AtStart.txt
[2007/02/07 17:57:50 | 00,039,899 | ---- | C] () -- C:\Windows\System32\rtsicis.ini
[2007/01/22 08:49:34 | 00,344,064 | ---- | C] () -- C:\Windows\System32\lxbkcoin.dll
[2006/11/29 07:32:42 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/03 16:25:56 | 00,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006/11/02 12:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 10:25:21 | 00,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/19 07:02:40 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 07:02:40 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/05/19 14:39:58 | 00,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini
[2006/03/09 23:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/12/07 12:31:00 | 00,202,752 | R--- | C] () -- C:\Windows\System32\CddbCdda.dll
[2005/10/05 12:19:32 | 00,040,960 | ---- | C] () -- C:\Windows\System32\lxbkvs.dll
[2005/09/13 16:27:10 | 00,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv5.dll
[2005/09/13 16:27:10 | 00,061,440 | ---- | C] () -- C:\Windows\System32\lxbkcnv4.dll
[2005/05/08 04:06:00 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[2001/11/14 11:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll

========== LOP Check ==========

[2008/06/24 21:40:15 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Datalayer
[2009/11/02 21:03:12 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Foxit
[2009/12/02 21:51:57 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Foxit Software
[2008/05/26 11:22:16 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\FrostWire
[2009/11/02 21:43:09 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\HouseCall 6.6
[2009/10/24 13:10:28 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\IObit
[2008/07/04 22:24:24 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Nokia
[2008/06/24 21:44:13 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Nokia Multimedia Player
[2008/03/23 16:11:40 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\PC Suite
[2007/09/22 22:54:21 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Samsung
[2009/04/28 11:54:27 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Sony
[2007/08/06 22:19:38 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\Template
[2010/01/10 03:07:37 | 00,000,000 | ---D | M] -- C:\Users\Asma\AppData\Roaming\uTorrent
[2010/01/10 17:41:15 | 00,032,558 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/01/10 16:52:34 | 00,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{0E800DBF-F860-49BE-9326-697C915EC59E}.job

========== Purity Check ==========


< End of report >
  • 0

#30
Rorschach112
Posted 10 January 2010 - 03:43 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hi

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:Services

:Reg

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys | c:\windows\System32\drivers\atapi.sys
KillAll::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP