Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

can't go to some sites - eg. google.com

Started by greg0r , Mar 26 2011 09:18 PM

This topic is locked

#1
greg0r

Posted 26 March 2011 - 09:18 PM

Member

Member
31 posts

From what I've been reading, it sounds like I have some sort of hijacking going on.

I started by wiping system drive at Christmas, reinstalling OS (XP home), and other software piece by piece. Problem started several weeks ago (around March 1st). Was using google chrome, with google as home page, which was lightning fast, and then started having delayed searches or failed results. Now it's so bad I can't do any searches with google, and can't go to google.com. Also can't go to hotmail.com. One time I mis-typed hotnail.com, and it went there immediately, changed the n to m, and it took a long time, then displayed 'Internet Explorer cannot display this webpage'; so I suspect malware. I have been using Rebit backup and recovery software, and have recovered multiple times back to way before Chrome was installed, and still had problem with IE, and the above error. Recovered back to March first to try other approaches. Have uninstalled Chrome, run Malwarebytes, F-secure blacklight (service provider's tool), Panda Cloud Antivirus, MooCleaner, and run ATF cleaner. Several trojans, viruses, cookies, and one questionable registry entry were found and dealt with, but I still have this problem. Checked hosts file, no entries other than 127.0.0.1 localhost.

I'm at a loss. I hope someone can help me!!!

Here are the OTL log files (OTL.txt first, then Extras.txt):

OTL logfile created on: 26/03/2011 10:18:14 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Greg\downloads\technical utilities\troubleshooting\scanners+cleaners\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 146.48 Gb Total Space | 121.86 Gb Free Space | 83.19% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 793.37 Gb Free Space | 85.17% Space Free | Partition Type: NTFS
Drive L: | 1863.01 Gb Total Space | 1705.91 Gb Free Space | 91.57% Space Free | Partition Type: NTFS
Drive M: | 3.94 Gb Total Space | 0.90 Gb Free Space | 22.78% Space Free | Partition Type: FAT32

Computer Name: DAD-XP-GATEWAY | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/26 21:13:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\Greg\downloads\technical utilities\troubleshooting\scanners+cleaners\OTL\OTL.exe
PRC - [2011/02/02 08:46:23 | 000,918,184 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
PRC - [2011/02/02 08:46:22 | 000,508,584 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32.exe
PRC - [2011/01/09 03:50:55 | 000,522,848 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\FWES\program\fsdfwd.exe
PRC - [2011/01/09 03:38:25 | 000,372,904 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Anti-Virus\fsav32.exe
PRC - [2011/01/09 03:37:42 | 000,063,992 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\ORSP Client\fsorsp.exe
PRC - [2010/12/19 10:19:06 | 000,223,400 | ---- | M] (Panda Security) -- C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe
PRC - [2010/12/16 18:35:40 | 000,423,232 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
PRC - [2010/12/16 18:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/04/12 04:40:16 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2010/03/18 19:17:48 | 000,019,456 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CtHelper.exe
PRC - [2010/02/12 11:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2009/08/05 11:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Common\FSMA32.EXE
PRC - [2009/08/05 11:58:50 | 000,199,264 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Common\FSM32.EXE
PRC - [2009/08/05 11:58:50 | 000,088,672 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Common\FSHDLL32.EXE
PRC - [2009/08/05 11:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/10/10 12:03:10 | 000,634,880 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\Tablet.exe
PRC - [2003/10/10 11:16:08 | 000,077,824 | ---- | M] (Wacom Technology, Corp.) -- C:\Program Files\Wacom\TabUserW.exe

========== Modules (SafeList) ==========

MOD - [2011/03/26 21:13:26 | 000,580,608 | ---- | M] (OldTimer Tools) -- D:\Greg\downloads\technical utilities\troubleshooting\scanners+cleaners\OTL\OTL.exe
MOD - [2010/12/19 10:19:06 | 000,383,656 | ---- | M] (Panda Security) -- C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/03/18 19:17:48 | 000,008,704 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\ctagent.dll
MOD - [2009/08/05 11:59:08 | 000,256,608 | ---- | M] (F-Secure Corporation) -- C:\Program Files\COGECO Security Services\Spam Control\fsscoepl.dll
MOD - [2009/08/05 11:58:30 | 000,330,336 | ---- | M] () -- \\?\c:\program files\cogeco security services\hips\fshook32.dll
MOD - [2003/10/10 12:57:12 | 000,044,544 | ---- | M] (Wacom Technology, Corp.) -- C:\WINDOWS\system32\TabHook.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/01/20 21:05:32 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/01/09 03:50:55 | 000,522,848 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe -- (FSDFWD)
SRV - [2011/01/09 03:37:42 | 000,063,992 | ---- | M] (F-Secure Corporation) [On_Demand | Running] -- C:\Program Files\COGECO Security Services\ORSP Client\fsorsp.exe -- (FSORSPClient)
SRV - [2011/01/09 01:21:58 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/12/16 18:19:34 | 000,140,608 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe -- (NanoServiceMain)
SRV - [2010/12/02 09:41:30 | 000,739,136 | ---- | M] (Panda Security, S.L.) [Auto | Stopped] -- C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown\Pan37E.tmp\setup.exe -- (CloudAvUpdater)
SRV - [2010/02/12 11:23:12 | 000,286,720 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2009/08/05 11:58:52 | 000,186,976 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\COGECO Security Services\Common\FSMA32.EXE -- (FSMA)
SRV - [2009/08/05 11:56:10 | 000,215,648 | ---- | M] (F-Secure Corporation) [Auto | Running] -- C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe -- (F-Secure Gatekeeper Handler Starter)
SRV - [2003/10/10 12:03:10 | 000,634,880 | ---- | M] (Wacom Technology, Corp.) [Auto | Running] -- C:\WINDOWS\system32\Tablet.exe -- (TabletService)

========== Driver Services (SafeList) ==========

DRV - [2011/01/09 03:51:32 | 000,082,120 | ---- | M] (F-Secure Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\fsdfw.sys -- (FSFW)
DRV - [2011/01/09 03:40:35 | 000,042,664 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\Drivers\fsbts.sys -- (fsbts)
DRV - [2011/01/09 03:37:40 | 000,130,728 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys -- (F-Secure Gatekeeper)
DRV - [2010/12/16 18:12:59 | 000,113,096 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProt.sys -- (PSINProt)
DRV - [2010/12/16 18:12:51 | 000,111,944 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINProc.sys -- (PSINProc)
DRV - [2010/12/16 18:12:42 | 000,130,376 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PSINKNC.sys -- (PSINKNC)
DRV - [2010/12/16 18:12:34 | 000,097,352 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINFile.sys -- (PSINFile)
DRV - [2010/12/16 18:12:26 | 000,141,768 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PSINAflt.sys -- (PSINAflt)
DRV - [2010/04/12 04:44:34 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2010/03/18 20:50:12 | 000,189,528 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\haP17v2k.sys -- (hap17v2k)
DRV - [2010/03/18 20:50:04 | 000,162,904 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\haP16v2k.sys -- (hap16v2k)
DRV - [2010/03/18 20:49:56 | 000,798,808 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k)
DRV - [2010/03/18 20:45:42 | 000,092,760 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia)
DRV - [2010/03/18 20:45:28 | 000,157,272 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2010/03/18 20:45:20 | 000,014,424 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k)
DRV - [2010/03/18 20:45:12 | 000,127,576 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2010/03/18 20:40:48 | 000,347,144 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ctdvda2k.sys -- (ctdvda2k)
DRV - [2010/03/18 20:40:40 | 000,528,472 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k) Creative Audio Driver (WDM)
DRV - [2010/03/18 20:40:32 | 000,511,064 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\CTERFXFX.SYS -- (CTERFXFX.SYS)
DRV - [2010/03/18 20:39:36 | 000,100,952 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTERFXFX.sys -- (CTERFXFX)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTSBLFX.SYS -- (CTSBLFX.SYS)
DRV - [2010/03/18 20:39:28 | 000,566,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTSBLFX.sys -- (CTSBLFX)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\CTAUDFX.SYS -- (CTAUDFX.SYS)
DRV - [2010/03/18 20:39:18 | 000,555,096 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CTAUDFX.sys -- (CTAUDFX)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\COMMONFX.SYS -- (COMMONFX.SYS)
DRV - [2010/03/18 20:39:10 | 000,099,416 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COMMONFX.sys -- (COMMONFX)
DRV - [2009/08/05 11:58:30 | 000,068,064 | ---- | M] (F-Secure Corporation) [Kernel | System | Running] -- C:\Program Files\COGECO Security Services\HIPS\drivers\fshs.sys -- (F-Secure HIPS)
DRV - [2009/08/05 11:56:14 | 000,039,776 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\COGECO Security Services\Anti-Virus\win2k\fsfilter.sys -- (F-Secure Filter)
DRV - [2009/08/05 11:56:14 | 000,025,184 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\Program Files\COGECO Security Services\Anti-Virus\win2k\fsrec.sys -- (F-Secure Recognizer)
DRV - [2009/07/24 20:28:50 | 000,030,560 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nx6000.sys -- (MSHUSBVideo)
DRV - [2005/06/02 20:28:38 | 000,171,008 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/02/23 19:40:26 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\asapiW2k.sys -- (ASAPIW2K)
DRV - [2005/02/09 13:59:00 | 000,014,165 | ---- | M] (Pinnacle Systems GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pclepci.sys -- (PCLEPCI)
DRV - [2001/04/09 14:45:00 | 000,008,138 | ---- | M] (Wacom Technology Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PenClass.sys -- (PenClass)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\COGECO Security Services\NRS\[email protected] [2011/01/12 02:38:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Panda Security\Panda ID Protect\Firefox [2011/03/24 02:15:23 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2008/04/14 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (Panda Security Toolbar) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll ()
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\COGECO Security Services\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\COGECO Security Services\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Panda Security Toolbar) - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - C:\Program Files\Panda Security\Panda Security Toolbar\PandaSecurityDx.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CTHelper] C:\WINDOWS\System32\CtHelper.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\COGECO Security Services\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\COGECO Security Services\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [Panda Security URL Filtering] C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering\Panda_URL_Filtering.exe (Panda Security)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe ()
O4 - HKLM..\Run: [PSUNMain] C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe (Panda Security, S.L.)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKCU..\Run: [tcactive] C:\Program Files\The Cleaner\tcap.exe (MooSoft Development LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe (Wacom Technology, Corp.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Free YouTube Download - C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm ()
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\COGECO Security Services\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\COGECO Security Services\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\COGECO Security Services\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\COGECO Security Services\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1294553507140 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creat...13/CTPIDPDE.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15113/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/01/24 15:15:04 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/02/01 13:58:56 | 000,000,072 | ---- | M] () - L:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/26 17:58:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/03/26 17:57:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SpywareBlaster
[2011/03/26 17:57:55 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2011/03/25 01:05:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\thecleaner
[2011/03/25 01:05:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\The Cleaner
[2011/03/25 01:05:31 | 000,000,000 | ---D | C] -- C:\Program Files\The Cleaner
[2011/03/24 02:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Panda Security
[2011/03/24 02:15:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Start Menu\Programs\Panda Cloud Antivirus
[2011/03/24 02:15:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\SurfSecret Privacy Suite
[2011/03/24 02:14:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Local Settings\Application Data\panda2_0dn
[2011/03/24 02:14:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering
[2011/03/24 02:14:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\pandasecuritytb
[2011/03/24 02:14:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Cloud Antivirus
[2011/03/24 02:14:18 | 000,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2011/03/24 02:14:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/03/24 01:00:36 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\IECompatCache
[2011/03/23 11:18:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\.working
[2011/03/23 00:54:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Malwarebytes
[2011/03/23 00:53:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/03/23 00:53:44 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/03/23 00:53:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/03/23 00:53:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/03/23 00:53:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/02/25 20:31:07 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2011/01/09 01:21:13 | 000,010,752 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll
[2011/01/09 01:21:12 | 000,010,240 | ---- | C] ( ) -- C:\WINDOWS\System32\killapps.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/26 21:36:32 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/26 19:45:17 | 000,501,178 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/26 19:45:17 | 000,086,080 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/26 19:40:53 | 000,000,251 | ---- | M] () -- C:\WINDOWS\System32\wacom.dat
[2011/03/26 19:40:45 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/26 19:40:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/26 19:39:33 | 000,011,564 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000004-00000000-00000005-00001102-00000004-10051102}.rfx
[2011/03/26 19:39:32 | 000,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000004-00000000-00000005-00001102-00000004-10051102}.rfx
[2011/03/26 19:39:32 | 000,030,912 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000004-00000000-00000005-00001102-00000004-10051102}.rfx
[2011/03/26 19:39:32 | 000,029,352 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000005-00001102-00000004-10051102}.rfx
[2011/03/26 19:39:32 | 000,029,352 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000005-00001102-00000004-10051102}.rfx
[2011/03/26 19:39:15 | 004,931,577 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000005-00001102-00000004-10051102}.CDF
[2011/03/26 19:39:15 | 004,931,577 | ---- | M] () -- C:\WINDOWS\{00000004-00000000-00000005-00001102-00000004-10051102}.BAK
[2011/03/26 19:00:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2011/03/26 08:43:31 | 000,000,508 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2011/03/26 08:42:25 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/24 23:21:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/03/24 02:14:41 | 000,000,264 | ---- | M] () -- C:\WINDOWS\System32\PSUNCpl.dat
[2011/03/24 00:57:24 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/03/23 03:03:13 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/03/23 00:55:24 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/03/23 00:43:25 | 000,000,092 | ---- | M] () -- C:\error.fstmp
[2011/03/23 00:32:56 | 000,000,170 | ---- | M] () -- C:\infect.fstmp
[2011/02/25 20:30:11 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/24 02:14:41 | 000,000,264 | ---- | C] () -- C:\WINDOWS\System32\PSUNCpl.dat
[2011/03/24 00:56:02 | 000,000,508 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled scanning task.job
[2011/03/23 00:30:01 | 000,000,170 | ---- | C] () -- C:\infect.fstmp
[2011/03/23 00:30:01 | 000,000,092 | ---- | C] () -- C:\error.fstmp
[2011/02/16 23:15:54 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/02/06 18:40:34 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2011/02/06 18:40:34 | 000,000,127 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2011/01/26 04:03:04 | 000,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2011/01/25 02:15:00 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Dad.DAD-XPHOME\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/24 15:27:04 | 000,194,248 | ---- | C] () -- C:\WINDOWS\System32\LTRFD13n.DLL
[2011/01/24 15:15:04 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll
[2011/01/24 15:15:04 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2011/01/24 15:15:04 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll
[2011/01/24 15:15:04 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll
[2011/01/24 15:15:04 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2011/01/24 15:15:04 | 000,001,194 | ---- | C] () -- C:\WINDOWS\VFO.INI
[2011/01/24 13:46:45 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\TabUnst.dll
[2011/01/24 13:46:45 | 000,015,744 | ---- | C] () -- C:\WINDOWS\System32\wintab.dll
[2011/01/18 14:28:12 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/01/18 02:36:15 | 000,002,528 | ---- | C] () -- C:\WINDOWS\FCIC.INI
[2011/01/15 19:39:20 | 000,000,251 | ---- | C] () -- C:\WINDOWS\System32\wacom.dat
[2011/01/14 05:55:55 | 000,013,408 | ---- | C] () -- C:\WINDOWS\System32\tabinst.dll
[2011/01/14 05:55:55 | 000,004,032 | ---- | C] () -- C:\WINDOWS\System32\tabins16.dll
[2011/01/14 03:03:06 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2011/01/14 03:03:06 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2011/01/14 03:03:05 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2011/01/12 18:23:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/01/09 03:31:00 | 000,042,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsbts.sys
[2011/01/09 01:21:14 | 000,149,838 | ---- | C] () -- C:\WINDOWS\System32\ctbas2w.dat
[2011/01/09 01:21:14 | 000,050,439 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2011/01/09 01:21:14 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CTBurst.dll
[2011/01/09 01:21:14 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\psconv.exe
[2011/01/09 01:21:13 | 000,313,207 | ---- | C] () -- C:\WINDOWS\System32\ctstatic.dat
[2011/01/09 01:21:13 | 000,051,787 | ---- | C] () -- C:\WINDOWS\System32\ctdlang.dat
[2011/01/09 01:21:13 | 000,013,312 | ---- | C] () -- C:\WINDOWS\System32\regplib.exe
[2011/01/09 01:21:12 | 000,386,852 | ---- | C] () -- C:\WINDOWS\System32\ctdnlstr.dat
[2011/01/09 01:21:12 | 000,274,587 | ---- | C] () -- C:\WINDOWS\System32\ctsbas2w.dat
[2011/01/09 01:21:12 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ctmmactl.dll
[2011/01/09 01:21:12 | 000,053,932 | ---- | C] () -- C:\WINDOWS\System32\ctdaught.dat
[2011/01/09 01:21:12 | 000,005,120 | ---- | C] () -- C:\WINDOWS\System32\enlocstr.exe
[2011/01/09 01:21:12 | 000,000,307 | ---- | C] () -- C:\WINDOWS\System32\kill.ini
[2011/01/09 01:21:12 | 000,000,054 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2011/01/09 01:19:29 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2011/01/08 22:28:29 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/01/08 22:24:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/01/08 17:11:36 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/01/08 17:10:32 | 000,169,096 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/05/26 22:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 22:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/14 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 08:00:00 | 000,501,178 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 08:00:00 | 000,086,080 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2004/12/20 19:24:03 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/03/11 02:26:10 | 000,406,016 | ---- | C] () -- C:\WINDOWS\System32\PSDrvCheck.exe

========== LOP Check ==========

[2011/02/03 02:07:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avanquest
[2011/01/28 15:07:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011/01/12 02:12:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\f-secure
[2011/01/18 02:36:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FirstClass
[2011/03/24 01:31:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fssg
[2011/01/08 22:39:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
[2011/01/24 14:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2011/01/13 02:27:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\J6SPz
[2011/03/24 02:14:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2011/03/26 19:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security URL Filtering
[2011/01/25 01:34:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2011/01/24 15:11:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
[2011/01/24 15:16:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
[2011/03/26 17:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/01/12 02:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{DE8EABB5-1C85-4410-A68D-79BD8A4518F4}
[2011/02/03 13:54:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Avanquest
[2011/01/18 03:39:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoft
[2011/01/18 03:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoftIEHelpers
[2011/01/16 01:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\F-Secure
[2011/01/13 01:42:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\IObit
[2011/03/24 02:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Panda Security
[2011/03/24 09:34:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\pandasecuritytb
[2011/01/11 03:07:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Registry Mechanic
[2011/03/24 09:34:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\SurfSecret Privacy Suite
[2011/03/25 01:05:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\thecleaner
[2011/01/11 03:12:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Uniblue
[2011/01/21 23:45:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Windows Desktop Search
[2011/01/25 01:08:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dad.DAD-XPHOME\Application Data\Windows Search
[2011/02/11 03:35:55 | 000,000,384 | ---- | M] () -- C:\WINDOWS\Tasks\AWC Update.job
[2011/03/26 19:00:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\Tasks\RMSchedule.job
[2011/03/26 08:43:31 | 000,000,508 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled scanning task.job

========== Purity Check ==========

< End of report >

OTL Extras logfile created on: 26/03/2011 10:18:14 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = D:\Greg\downloads\technical utilities\troubleshooting\scanners+cleaners\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 146.48 Gb Total Space | 121.86 Gb Free Space | 83.19% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 793.37 Gb Free Space | 85.17% Space Free | Partition Type: NTFS
Drive L: | 1863.01 Gb Total Space | 1705.91 Gb Free Space | 91.57% Space Free | Partition Type: NTFS
Drive M: | 3.94 Gb Total Space | 0.90 Gb Free Space | 22.78% Space Free | Partition Type: FAT32

Computer Name: DAD-XP-GATEWAY | User Name: Dad | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe" = C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems, Inc.)
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe" = C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile -- ( )
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe" = C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 23
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CB05291-F546-458E-A796-B5BCF5A3CDC4}" = Studio 10
"{4241BD9F-55F1-43B5-8694-DBC9C596F175}" = Web Easy Professional
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5B35C417-2649-11D6-83D1-0050FC01225C}" = FirstClass® Client
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A012D9C-2E2E-405A-B87C-E909F5297C3F}" = Studio 10 Bonus DVD
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}" = DiscAPI
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D16AA51D-2BE9-421A-84A7-759578E64A74}" = Web Easy Professional 7
"{D6E050E5-6D90-4096-90A5-1E2F941015D2}" = Toon Boom Studio 5.0
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{EEECE229-49F6-4851-A73A-99B058221F8C}" = RAPID
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{FEB2D0CA-9912-4AA1-8FBE-CFD852F9F1FC}" = Panda Cloud Antivirus
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop 7.0.1" = Adobe Photoshop 7.0.1
"Adobe Photoshop v4.0" = Adobe Photoshop v4.0
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"AudioCS" = Creative Audio Console
"Bulk Rename Utility_is1" = Bulk Rename Utility 2.7.1.2
"Creative Software AutoUpdate" = Creative Software AutoUpdate
"DMX5_is1" = DriverMax 5
"Free Studio_is1" = Free Studio version 5.0.3
"F-Secure Product 444" = COGECO Security Services
"Hollywood FX for Studio" = Pinnacle Hollywood FX for Studio
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"InstallShield_{4A7FDA4D-F4D7-4A49-934A-066D59A43C7E}" = SmartSound Quicktracks Plugin
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Panda Cloud Antivirus" = Panda Cloud Antivirus
"Panda Identity Protect" = Panda Identity Protect 3.0.44
"Panda Security URL Filtering" = Panda Security URL Filtering
"pandasecuritytb" = Panda Security Toolbar
"PowerISO" = PowerISO
"proDAD-Heroglyph-2.0" = proDAD Heroglyph 2.0
"SpywareBlaster_is1" = SpywareBlaster 4.4
"The Cleaner_is1" = The Cleaner 2012
"Uninstall_is1" = Uninstall 1.0.0.1
"Wacom Tablet Driver" = Wacom Tablet Driver
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 08/02/2011 11:44:36 AM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3029
Description = The plug-in in <Search.JetPropStore> cannot be initialized. Context:
Windows Application, SystemIndex Catalog Details: The content index metadata cannot
be read. (0xc0041801)

Error - 08/02/2011 11:44:36 AM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 7040
Description = The search service has detected corrupted data files in the index.
The service will attempt to automatically correct this problem by rebuilding the
index. Context: Windows Application, SystemIndex Catalog Details: 0xc0041801 (0xc0041801)

Error - 08/02/2011 11:44:36 AM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3029
Description = The plug-in in <Search.TripoliIndexer> cannot be initialized. Context:
Windows Application, SystemIndex Catalog Details: The content index cannot be read.
(0xc0041800)

Error - 08/02/2011 11:44:36 AM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3028
Description = The gatherer object cannot be initialized. Context: Windows Application,
SystemIndex Catalog Details: The content index metadata cannot be read. (0xc0041801)

Error - 08/02/2011 11:44:36 AM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3058
Description = The application cannot be initialized. Context: Windows Application

Details:
The
content index metadata cannot be read. (0xc0041801)

Error - 08/02/2011 6:13:51 PM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 08/02/2011 6:13:52 PM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 08/02/2011 6:13:53 PM | Computer Name = DAD-XPHOME | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

Error - 13/02/2011 3:23:53 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Anti-Virus | ID = 103
Description = 1 2011-02-13 02:23:53-04:00 DAD-XP-GATEWAY DAD-XP-GATEWAY\Dad
F-Secure Anti-Virus Manual scanning was finished - workstation was found infected!

Error - 14/02/2011 2:43:53 PM | Computer Name = DAD-XP-GATEWAY | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Application, SystemIndex
Catalog

[ System Events ]
Error - 24/03/2011 1:09:56 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 1:10:22 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 1:10:29 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 2:20:21 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 2:20:36 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 2:20:37 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 2:20:38 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 24/03/2011 2:21:17 AM | Computer Name = DAD-XP-GATEWAY | Source = F-Secure Gatekeeper | ID = 327681
Description =

Error - 26/03/2011 6:10:12 PM | Computer Name = DAD-XP-GATEWAY | Source = Service Control Manager | ID = 7034
Description = The BrSplService service terminated unexpectedly. It has done this
1 time(s).

Error - 26/03/2011 6:10:12 PM | Computer Name = DAD-XP-GATEWAY | Source = Service Control Manager | ID = 7034
Description = The Creative Audio Service service terminated unexpectedly. It has
done this 1 time(s).

< End of report >

#2
Salagubang

Posted 04 April 2011 - 07:37 PM

Trusted Helper

Malware Removal
3,891 posts

Hi greg0r,

Sorry for the delay.

Welcome to Geekstogo. My name is Salagubang and I'll be helping you with this problem.

Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
English is not my first language, so please do not use slang or idioms, as this makes it difficult to understand for me.

+++++++++++++++++++++++++++++++++++++++++++

Posted Image

ERUNT - Download here
Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions. To ensure that we have a valid registry backup. Install and run ERUNT (Emergency Recovery Utility NT) which will allows you to store a complete backup of your registry and restore if needed.

Download ERUNT
Double-click erunt_setup.exe to run.
Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
Start ERUNT
Choose a location for the backup
The default location C:\WINDOWS\ERDNT\[today's date] is preferred
The first two check boxes are ticked by default (System registry and Current user registry).
Press OK
When prompted, click YES to create a new folder.
Progress bars will show backup status.
A confirmation window will popup when complete. Click OK to close.

+++++++++++++++++++++++++++++++++++++++++++

GMER Rootkit Scanner

GMER Rootkit Scanner - Download - Homepage
Download GMER
Extract the contents of the zipped file to desktop.
Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

NOTE - Not all of the tick boxes will be available if you are running a 64bit Operating System. You may also get an error message display on the screen when using a 64bit Operating System, this is normal, just click on OK and let it carry on.

Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

#3
greg0r

Posted 05 April 2011 - 12:18 AM

Member

Topic Starter
Member
31 posts

Salagubang:

thank you for your help. I installed and backed up the Registry with ERUNT, and downloaded Gmer. I extracted it to the desktop, double clicked, and got the message 'windows cannot access the specified device, path or file. You may not have the appropriate permissions to access them.' I tried extracting it to a folder, same result. For interest sake I scanned it with my ISP security software, and it said it found 1 virus. I did nothing, assuming that it's trustworthy, and that something else is causing the problem. My account is set up as administrator.

What do I do now?

#4
Salagubang

Posted 05 April 2011 - 12:20 AM

Trusted Helper

Malware Removal
3,891 posts

Lets proceed with bigger guns.

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#5
greg0r

Posted 05 April 2011 - 11:45 AM

Member

Topic Starter
Member
31 posts

Salagubang:

When I opened up the link in the email notification I received, it of course went to the right place, but a dialog popped up to tell me that IE was not my default browser. I assume this is a normal result of the combofix process, and I chose 'No' for making it my default. Was that the right thing to do?

Ok, here's the combofix.txt.

ComboFix 11-04-04.04 - Dad 05/04/2011 13:13:05.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.3317.2531 [GMT -4:00]
Running from: d:\greg\downloads\technical utilities\troubleshooting\geekstogo\ComboFix.exe
AV: COGECO Security Services 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: COGECO Security Services 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dad.DAD-XPHOME\WINDOWS
L:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-05 to 2011-04-05 )))))))))))))))))))))))))))))))
.
.
2011-04-05 05:58 . 2011-04-05 05:59 -------- d-----w- c:\program files\ERUNT
2011-04-05 05:09 . 2011-04-05 05:09 -------- d-----w- c:\documents and settings\Dad.DAD-XPHOME\Application Data\Qualys
2011-04-03 16:51 . 2011-02-22 17:57 69392 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2011-04-03 16:51 . 2011-02-22 17:57 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2011-04-03 16:51 . 2011-02-22 17:57 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2011-04-03 16:51 . 2011-04-03 16:51 -------- d-----w- c:\program files\ThreatFire
2011-04-03 16:51 . 2011-04-03 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-04-03 03:37 . 2011-04-03 03:37 112 ----a-w- c:\windows\Printdir.bat
2011-04-01 05:09 . 2011-04-01 05:09 -------- d-----w- c:\program files\Rebit 5
2011-04-01 05:07 . 2011-04-01 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Rebit 5
2011-03-31 18:20 . 2011-03-31 18:20 -------- d-----w- c:\program files\freestar
2011-03-31 02:27 . 2011-03-31 02:27 -------- d-----w- c:\documents and settings\Ydam\Application Data\Windows Search
2011-03-31 02:24 . 2011-03-31 02:24 -------- d-----w- c:\documents and settings\Ydam\Application Data\Apple Computer
2011-03-31 02:23 . 2011-03-31 02:23 -------- d-----w- c:\documents and settings\Ydam\Local Settings\Application Data\Apple Computer
2011-03-30 00:07 . 2011-03-30 00:07 -------- d-----w- c:\documents and settings\Ydam\Application Data\pandasecuritytb
2011-03-30 00:01 . 2011-03-30 00:01 -------- d-----w- c:\documents and settings\Ydam\Local Settings\Application Data\panda2_0dn
2011-03-27 18:26 . 2011-03-27 18:29 -------- d-----w- c:\program files\NexusFont
2011-03-26 21:58 . 2011-04-04 06:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-03-26 21:57 . 2011-04-04 06:21 -------- d-----w- c:\program files\SpywareBlaster
2011-03-25 05:05 . 2011-03-25 05:05 -------- d-----w- c:\documents and settings\Dad.DAD-XPHOME\Application Data\thecleaner
2011-03-24 06:18 . 2011-03-24 06:18 -------- d-----w- c:\documents and settings\Dad.DAD-XPHOME\Application Data\Panda Security
2011-03-24 06:15 . 2011-03-24 13:34 -------- d-----w- c:\documents and settings\Dad.DAD-XPHOME\Application Data\SurfSecret Privacy Suite
2011-03-24 06:14 . 2011-04-02 21:24 -------- d-----w- c:\program files\Panda Security
2011-03-24 06:14 . 2011-03-24 06:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Panda Security
2011-03-24 05:00 . 2011-03-24 05:00 -------- d-sh--w- c:\documents and settings\Dad.DAD-XPHOME\IECompatCache
2011-03-23 15:18 . 2011-03-23 15:18 -------- d-----w- c:\windows\system32\.working
2011-03-23 04:54 . 2011-03-23 04:54 -------- d-----w- c:\documents and settings\Dad.DAD-XPHOME\Application Data\Malwarebytes
2011-03-23 04:53 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 04:53 . 2011-03-23 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-23 04:53 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 04:53 . 2011-03-23 04:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2008-04-14 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 18:18 . 2011-02-03 18:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-03 18:18 . 2011-02-03 18:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 07:58 . 2011-01-09 02:23 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2011-01-09 02:23 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2008-04-14 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-09 07:51 . 2011-01-09 07:30 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys
2011-01-09 07:40 . 2011-01-09 07:31 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys
2011-01-09 05:21 . 2011-01-09 05:21 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-01-09 05:21 . 2011-01-09 05:21 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-01-07 14:09 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-18 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
"F-Secure Manager"="c:\program files\COGECO Security Services\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\COGECO Security Services\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Rebit 5 Dashboard"="c:\program files\Rebit 5\DashUI.exe" [2011-03-15 2640120]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2011-02-22 378128]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Tina\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\Dad.DAD-XPHOME\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-2-12 113664]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2011-1-24 77824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
.
R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [09/01/2011 3:31 AM 42664]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [09/01/2011 3:30 AM 82120]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [03/04/2011 12:51 PM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [03/04/2011 12:51 PM 69392]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\COGECO Security Services\HIPS\drivers\fshs.sys [09/01/2011 3:30 AM 68064]
R2 Rebit-5-Svc;Rebit 5 Svc;c:\program files\Rebit 5\Rebit-5-Svc_xp.exe [15/03/2011 11:57 AM 3224312]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [09/01/2011 1:21 AM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [09/01/2011 1:21 AM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [09/01/2011 1:21 AM 566360]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\COGECO Security Services\Anti-Virus\minifilter\fsgk.sys [09/01/2011 3:30 AM 130728]
R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [09/01/2011 1:20 AM 30560]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [03/04/2011 12:51 PM 33552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [18/01/2011 2:27 PM 136176]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [09/01/2011 1:21 AM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [09/01/2011 1:21 AM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [09/01/2011 1:21 AM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [09/01/2011 1:21 AM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [09/01/2011 1:21 AM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [09/01/2011 1:21 AM 566360]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\COGECO Security Services\ORSP Client\fsorsp.exe [09/01/2011 3:30 AM 63992]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 2:16 PM 753504]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\COGECO Security Services\Anti-Virus\win2k\fsfilter.sys [09/01/2011 3:30 AM 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\COGECO Security Services\Anti-Virus\win2k\fsrec.sys [09/01/2011 3:30 AM 25184]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2011-02-11 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2011-01-12 20:24]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 18:26]
.
2011-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 18:26]
.
2011-04-05 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\COGECO~1\ANTI-V~1\fsav.exe [2011-01-09 15:56]
.
2011-04-05 c:\windows\Tasks\User_Feed_Synchronization-{B8C9C3F9-2D75-408B-B6F2-0D84A44D2744}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\documents and settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Dad.DAD-XPHOME\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: c:\program files\COGECO Security Services\FSPS\program\FSLSP.DLL
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 13:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\program files\cogeco security services\hips\fshook32.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
.
- - - - - - - > 'lsass.exe'(880)
c:\program files\cogeco security services\hips\fshook32.dll
c:\program files\ThreatFire\TFWAH.dll
.
Completion time: 2011-04-05 13:32:41
ComboFix-quarantined-files.txt 2011-04-05 17:32
.
Pre-Run: 129,904,533,504 bytes free
Post-Run: 130,138,021,888 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 66C52A3CC3C18B1E0221BC7545B2BCBA

#6
greg0r

Posted 05 April 2011 - 12:06 PM

Member

Topic Starter
Member
31 posts

Salagubang:

I assume that I should reload/restart my security stuff now that combofix is done. The two packages I had disabled were threatfire and Cogeco security services (cogeco is my isp), which is essentially a rebranded F-Secure. I followed the instructions in the 'How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs' article from your link (http://www.bleepingc...opic114351.html). threatfire was not listed, but it was a simple right-click on the taskbar icon, and select 'suspend'. I have just repeated that, and unchecked 'suspend', and it's back in operation.

Regarding Cogeco, once I had 'unloaded' it as per the instructions for F-Secure, there was an indication on the icon that it was successfully unloaded (and messages saying I was not protected). However, now there is no icon at all for Cogeco in the taskbar, and when I went to Start\All Programs\Cogeco\Open Cogeco Security Services, nothing happened.

The Windows Security Alert icon on the taskbar tells me that Cogeco is turned off.

What's going on? Is this expected, and am I currently then unprotected, except for Threatfire? I really don't know much about it's capabilities.

#7
greg0r

Posted 05 April 2011 - 12:17 PM

Member

Topic Starter
Member
31 posts

Salagubang:

Sorry, I don't know if this is relevant or not.

After posting the second message above, I noticed the status bar at the bottom of the IE page said ‘waiting for http://facebook.com/...like&api_key... and so on. It took a while ‘loading’, with the green progress bar, and then came up saying ‘Done’, with nothing happening.

What’s with that behaviour? I have nothing to do with facebook at all, I only had one browser tab open, to our conversation. Is that an automatic geekstogo.com function? Or is it something to be concerned about?

Regarding the Cogeco issue, I'm going to try rebooting to hopefully solve that problem.

#8
greg0r

Posted 05 April 2011 - 12:33 PM

Member

Topic Starter
Member
31 posts

Salagubang:

rebooting fixed the Cogeco issue. It's now fully operational again. Whew!

#9
Salagubang

Posted 05 April 2011 - 07:27 PM

Trusted Helper

Malware Removal
3,891 posts

Hi,

Can you check if normal browsing has been restored?

Next we're going to sweep for leftovers.

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

#10
greg0r

Posted 06 April 2011 - 12:36 AM

Member

Topic Starter
Member
31 posts

Salagubang:

Wow. Thank you!!!!

Yes, but things are really slow. The computer was really slow to load personal settings (this <might> have been a backup issue), and then pretty slow in IE. I CAN now go to google, and do a google search. Hooray!! However, when I type hotmail.com it goes to:

https://login.live.c...bcxt=mai&snsc=1

Is that normal? I never go there, so I don't even know - I assumed it would actually be hotmail.com. It was just a common site that I thought I'd try when I was testing, and I kept using it.

I already had mbam, and most recently did a full scan on April 4th, of my c:, d:, and L:(backup) drives. It found nothing infected. I updated it, ran the quick scan as instructed, found no infection, and the log is pasted at the bottom.

I have a bunch of questions:

1. - are we done, or is there more to do?

2. - does this prove that what I had was malware?

3. - do we know what the name of it was, and was it a browser hijacker?

4. - is there any indication how I got it, or when?

5. - why couldn't other software find it?

6. - specifically the two files that were deleted are of interest to me:

the first file (I guess it's really a folder) c:\documents and settings\Dad.DAD-XPHOME\WINDOWS
sure sounds to me by the name that it was a system file, but I conclude that it must have been something else posing with that name to look innocent, and that it fooled the various scanners I used. Am I correct?

the second one deleted - L:\autorun.inf was on my backup drive. this is particularly a concern, as the software I have been using (rebit) takes an image of my drives and backs them up, supposedly so that if I have any problems I can recover back to any previous date. In the last few weeks, as mentioned in my original post, I have recovered to multiple points (dates), even to before I had any browser problems, even before I installed Chrome, and on every date had the same browser issue, being unable to go to google.

This told me that either:
a) rebit was not completely replacing the contents of the drive (what they told me today is that what they do specifically is: back up the master boot record, put a new copy of the partition table overtop of the old one, and that any other data is not wiped off but is unavailable. they don't actually format the drive)

or
b) something had snuck onto the rebit backup, and was re-infecting my computer with every recovery attempt.
Based on the autorun.inf file being deleted from that backup drive, I wonder if option 'b)' might be the case. Any opinion?

7. - is there anything else that you were able to discern or determine by looking at the log that would be helpful for me to know?

8. - for the next time I have a problem which is not detected by any scanners, can I just use combofix as long as I disable my virus/security software and firewall, or is that not recommended?

9. - is there anything more that I can do to prevent problems like this from crippling me?

Ok, now that my questions are out of the way, here's the mbam log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6283

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

06/04/2011 1:50:07 AM
mbam-log-2011-04-06 (01-50-07).txt

Scan type: Quick scan
Objects scanned: 165181
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

thanks again!

Edited by greg0r, 06 April 2011 - 12:47 AM.

#11
Salagubang

Posted 06 April 2011 - 01:04 AM

Trusted Helper

Malware Removal
3,891 posts

Hi,

I have a bunch of questions:

- are we done, or is there more to do?

Not quite yet. I have to still at look at some the machine's grooves and crevices to see if something else needs to be done.

- does this prove that what I had was malware?

By the looks of it, yes.

- do we know what the name of it was, and was it a browser hijacker?

- is there any indication how I got it, or when?

- why couldn't other software find it?

- specifically the two files that were deleted are of interest to me:

We'll find out after a few more digging.

the first file (I guess it's really a folder) c:\documents and settings\Dad.DAD-XPHOME\WINDOWS
sure sounds to me by the name that it was a system file, but I conclude that it must have been something else posing with that name to look innocent, and that it fooled the various scanners I used. Am I correct?

Yes that is correct. Malware especially fake-alert variants use to spoof windows filenames to avoid detection.

the second one deleted - L:\autorun.inf was on my backup drive. this is particularly a concern, as the software I have been using (rebit) takes an image of my drives and backs them up, supposedly so that if I have any problems I can recover back to any previous date. In the last few weeks, as mentioned in my original post, I have restored to multiple points (dates), even to before I had any browser problems, even before I installed Chrome, and on every date had the same browser issue, being unable to go to google.

Could you try the software if its still working correctly?

This told me that either:
a) rebit was not completely replacing the contents of the drive (what they told me today is that what they do specifically is: back up the master boot record, put a new copy of the partition table overtop of the old one, and that any other data is not wiped off but is unavailable. they don't actually format the drive)

or
b) something had snuck onto the rebit backup, and was re-infecting my computer with every restore.
Based on the autorun.inf file being deleted, I wonder if b) might be the case. Any opinion?

One way to find out:

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window (or alternatively, you can navigate and point to the file in the c:\qoobox folder - this is where all deleted quaratine files are store)
C:\Qoobox\Quarantine\L\Autorun.inf
Click Submit/Send File
Please post back, to let me know the results.

++++++++++++++++++++++++++++++++++++++++++++

Lets proceed.

Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
Click the "Fix" in case of infection
Click Save log button and Save the aswMBR.log to the desktop
Post content of that log here for me

Next

Please do a scan with ESET OnlineScan

Note: If you run this in a browser other than IE you will be asked to download and install esetsmartinstaller_enu.exe

Click the button.
Check
Click the button.
Accept any security warnings from your browser and allow it to install the ActiveX control.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

#12
greg0r

Posted 06 April 2011 - 11:56 AM

Member

Topic Starter
Member
31 posts

Salagubang:

Yes, the Rebit backup software appears to be functioning properly.

Jotti (http://virusscan.jot...41f8c77be5545b2) said Filename: autorun.inf.vir
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Wed 6 Apr 2011 19:48:31 (CET)

File size: 52 bytes
Filetype: ASCII text, with CRLF line terminators
MD5: a666ab3d140ccda5cca1ea84072674fd
SHA1: 7f3302655c82cd6731d5dba4a8a20ecfc804cc67

I hope this is all the info you need. I guess there's no real report other than what's on the screen. I clicked on 'Permalink' and it just opened up the same screen.

I'll proceed with your other recommendations.

#13
greg0r

Posted 06 April 2011 - 12:06 PM

Member

Topic Starter
Member
31 posts

salagubang:

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-06 13:59:52
-----------------------------
13:59:52.125 OS Version: Windows 5.1.2600 Service Pack 3
13:59:52.125 Number of processors: 2 586 0xF02
13:59:52.125 ComputerName: DAD-XP-GATEWAY UserName: Dad
14:00:26.312 Initialize success
14:00:32.218 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-e
14:00:32.234 Disk 0 Vendor: ST31000333AS CC1H Size: 953869MB BusType: 3
14:00:32.250 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
14:00:32.250 Disk 1 Vendor: WDC_WD3200AAJS-22RYA0 12.01B01 Size: 305245MB BusType: 3
14:00:34.296 Disk 1 MBR read successfully
14:00:34.296 Disk 1 MBR scan
14:00:36.312 Disk 1 scanning sectors +307194930
14:00:36.328 Disk 1 scanning C:\WINDOWS\system32\drivers
14:00:42.421 Service scanning
14:00:44.750 Disk 1 trace - called modules:
14:00:44.765 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:00:44.781 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8ae9dab8]
14:00:44.796 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000070[0x8aea39e8]
14:00:44.812 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-19[0x8aea1d98]
14:00:44.812 Scan finished successfully
14:03:20.312 Disk 1 Windows 501 MBR fixed successfully
14:04:23.796 Disk 1 Windows 501 MBR fixed successfully

#14
greg0r

Posted 06 April 2011 - 12:12 PM

Member

Topic Starter
Member
31 posts

Salagubang:

I clicked on the ESET online scanner button, and got the 'Internet Explorer cannot display the webpage' screen.

I clicked on the download link, and got the same 'Internet Explorer cannot display the webpage' screen.

I also tried to open it in a new tab, same thing.

Edited by greg0r, 06 April 2011 - 12:12 PM.

#15
Salagubang

Posted 06 April 2011 - 04:12 PM

Trusted Helper

Malware Removal
3,891 posts

Ok we'll try another tool.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

Posted Image

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Posted Image