XP Security Tool 2010/Browser Redirect Trojan


I have become infected with the XP Security Tool 2010 trojan, as well as a browser/search results redirection trojan. I am able to remove the XP Security Tool 2010 trojan through Malwarebytes, but I have been unable to remove the browser redirect trojan.

Whenever I search on Google, the proper search results will display, but when I click on the link I am re-directed to web sites that re-infect my machine with XP Security Tool 2010 trojan. Occasionally the browser will redirect on it's own, without clicking on any links.

The steps I have taken are:

1) Scan with Malwarebytes - this finds and removes the XP Security Tool 2010 Trojan.
2) Scan with AVG Anti-Virus
3) Run ATF-Cleaner
4) Uninstall and reinstall Firefox
5) Full system scan with SUPERAntiSpyware while in Safe Mode
6) Updated Java to most current version

Unfortunately even after multiple scans with all of these programs that browser redirect trojan is still present. This is my work computer and it has stopped me from working the last 2 days, and I'm getting desperate as I have a project deadline and I need to get back to work. Below is my HijackThis log. If anyone would please take a look and advise me on the next steps, I don't know what else to do. I'm also posting this from my laptop, because when I attempt to post from the infected machine the browser is saying "The Connection Was Reset".


HijackThis log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:57:58 AM, on 4/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\system32\BMUpdate.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199134658864
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/pc/mywebex/tool/syscheck/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-318f769797ad} - C:\WINDOWS\system32\mst122.dll
O20 - AppInit_DLLs: karna.dat kjkvbv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

End of file - 12888 bytes
Who is Participating?
SpiderstaveConnect With a Mentor Author Commented:
So, the trojan was stopping me from accessing certain web sites, and from FTP to certain sites, which is required for my job. Because it was stopping me from working, and I had to work, I went out and bought a new drive and installed a clean copy of Windows 7, which I'd been meaning to do for awhile. I'm in the process of migrating my data over from XP, so I guess this means that I no longer need to clean the infection on XP. Thank you all so much for your help and sorry if I wasted anyone's time. I'm happy to assign points because of the time you spent offering assistance, but I'm not sure if that's allowed. Can anyone advise me on how to proceed with this question? Should I just close it?

Thanks again!
first double check your hosts file, C:\Windows\System32\drivers\etc, hosts open it up with notepad, make sure
the only entry after the #'s is       localhost
if you see any weird ips in there delete them and save it, then try internet again, if that doesnt work,
try, it cleans out rootkits
download and run combo fix,
Have you tried running Malwarebyes in Safe Mode?

Also making sure it's up to date with the latest definitions of course.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

run combofix in safemode with networking so that it can update if necessary.


then  reset ie7/ie8
SpiderstaveAuthor Commented:
Tymetwister - Yes, I have run Malewarebytes in Safe Mode and the definitions are up to date.

stokerbritt - I checked my hosts file and there were a bunch of extra IP addresses in there. I removed all of them except localhost. The browser redirect was still happening so I ran ComboFix. The browser redirect is still happening. My ComboFix log below.

Also, I ran my HijackThis log through an automatic analyzer and it is reporting that these two registry entries are a known trojan:

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

And it is recommending that I run a program called SDfix:


Do you think it would be a good idea to run this?

ComboFix Log:                                          
ComboFix 10-04-10.01 - Luke 04/10/2010  12:43:23.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3327.2493 [GMT -7:00]
Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

c:\program files\Common

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2010-03-11 to 2010-04-11  )))))))))))))))))))))))))))))))

2010-04-10 17:53 . 2010-04-10 17:53      --------      d-----w-      c:\program files\TrendMicro
2010-04-09 20:33 . 2010-04-09 20:33      --------      d-----w-      c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 20:33 . 2010-04-09 20:33      --------      d-----w-      c:\program files\SUPERAntiSpyware
2010-04-09 20:33 . 2010-04-09 20:33      --------      d-----w-      c:\documents and settings\Luke\Application Data\SUPERAntiSpyware.com
2010-04-09 20:26 . 2010-04-09 19:55      15880      ----a-w-      c:\windows\system32\lsdelete.exe
2010-04-09 19:55 . 2010-02-04 15:53      64288      ----a-w-      c:\windows\system32\drivers\Lbd.sys
2010-04-09 19:55 . 2010-04-09 19:55      95024      ----a-w-      c:\windows\system32\drivers\SBREDrv.sys
2010-04-09 19:53 . 2010-04-09 19:53      --------      dc-h--w-      c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-09 19:53 . 2010-04-09 19:53      --------      d-----w-      c:\program files\Lavasoft
2010-04-09 17:51 . 2010-04-09 17:51      183808      --sha-w-      c:\documents and settings\Luke\Local Settings\Application Data\562387286.dll
2010-04-07 20:33 . 2010-04-09 20:36      918360      ----a-w-      c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-05 00:42 . 2010-04-05 00:43      --------      d-----w-      C:\3b0ff290e7bcc873702f2a8f
2010-04-04 01:08 . 2010-04-04 01:08      --------      d-----w-      c:\documents and settings\Luke\Local Settings\Application Data\IsolatedStorage

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-04-10 19:17 . 2008-04-27 06:21      --------      d-----w-      c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 17:51 . 2008-01-01 04:36      --------      d-----w-      c:\program files\uTorrent
2010-04-10 17:45 . 2008-09-10 20:41      --------      d-----w-      c:\program files\LogMeIn
2010-04-09 21:13 . 2008-04-23 01:20      --------      d-----w-      c:\program files\Java
2010-04-09 21:13 . 2008-04-23 01:20      --------      d-----w-      c:\program files\Common Files\Java
2010-04-09 20:33 . 2008-10-26 22:50      --------      d-----w-      c:\program files\Common Files\Wise Installation Wizard
2010-04-09 17:58 . 2010-04-09 17:58      --------      d-----w-      c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-09 17:56 . 2010-01-25 19:42      --------      d-----w-      c:\documents and settings\All Users\Application Data\NOS
2010-04-09 17:51 . 2008-10-26 23:21      --------      d-----w-      c:\program files\Malwarebytes' Anti-Malware
2010-04-09 16:33 . 2009-04-11 02:16      --------      d-----w-      c:\documents and settings\All Users\Application Data\Google Updater
2010-04-08 23:29 . 2008-01-03 23:38      64      ----a-w-      c:\windows\msocreg32.dat
2010-04-07 20:32 . 2007-12-31 23:26      --------      d-----w-      c:\program files\Trillian
2010-04-05 00:48 . 2008-03-25 23:57      --------      d-----w-      c:\program files\TurboTax
2010-04-05 00:48 . 2007-12-31 21:23      155640      ----a-w-      c:\documents and settings\Luke\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-04 01:35 . 2008-01-01 04:36      --------      d-----w-      c:\documents and settings\Luke\Application Data\uTorrent
2010-04-01 13:06 . 2009-08-04 06:44      --------      d-----w-      c:\program files\EarMaster Pro 5
2010-03-31 22:20 . 2008-02-15 05:31      --------      d-----w-      c:\documents and settings\Luke\Application Data\mIRC
2010-03-31 22:19 . 2008-02-15 05:31      --------      d-----w-      c:\program files\mIRC
2010-03-30 07:46 . 2008-10-26 23:21      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2008-10-26 23:21      20824      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-03-10 21:45 . 2010-03-10 21:45      6      ----a-w-      c:\windows\Fonts\wfonts.key
2010-02-15 22:27 . 2008-01-09 23:04      --------      d-----w-      c:\program files\FLV Player
2010-02-13 19:27 . 2010-02-13 19:26      --------      d-----w-      c:\program files\iTunes
2010-02-13 19:26 . 2010-02-13 19:26      --------      d-----w-      c:\program files\iPod
2010-02-13 19:26 . 2008-01-01 21:52      --------      d-----w-      c:\program files\Common Files\Apple
2010-02-13 19:23 . 2008-01-01 01:12      --------      d-----w-      c:\program files\QuickTime
2010-02-12 19:35 . 2010-02-12 19:35      --------      d-----w-      c:\documents and settings\Luke\Application Data\Add-in Express
2010-02-12 19:35 . 2010-02-12 19:35      --------      d-----w-      c:\program files\Add-in Express
2010-02-10 21:40 . 2010-02-10 21:40      --------      d-----w-      c:\documents and settings\Luke\Application Data\ieSpell
2010-02-10 21:40 . 2010-02-10 21:40      --------      d-----w-      c:\program files\ieSpell
2010-02-01 18:46 . 2008-12-09 17:59      114156      ---ha-w-      c:\windows\system32\mlfcache.dat
2008-10-26 21:07 . 2008-10-26 21:07      15071      ----a-w-      c:\program files\Common Files\ejobemuje.reg
2008-10-26 21:07 . 2008-10-26 21:07      14314      ----a-w-      c:\program files\Common Files\ides._sy

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

2010-01-04 19:36      2848568      ----a-w-      c:\program files\MozyHome\mozyshell.dll

2010-01-04 19:36      2848568      ----a-w-      c:\program files\MozyHome\mozyshell.dll

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-31 68856]
"Google Update"="c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-31 135664]

"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2005-11-09 91136]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-31 2046816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-10 136472]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Distillr\Acrotray.exe" [2006-01-13 483328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2010-1-4 2893624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21      548352      ----a-w-      c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-19 16:35      11952      ----a-w-      c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 22:15      87352      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Luke^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Luke\Start Menu\Programs\Startup\MagicDisc.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12      1695232      ----a-w-      c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-04-09 02:43      1953792      ------w-      c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 19:50      155648      ----a-w-      c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
2002-09-24 16:21      86016      ----a-w-      c:\program files\Visioneer OneTouch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08      417792      ----a-w-      c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-09-25 03:27      1217784      ----a-w-      c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-06-10 10:55      1326080      ----a-w-      c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WMP300NSvc"=2 (0x2)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"SQLWriter"=3 (0x3)
"PnkBstrA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Norton Ghost"=2 (0x2)
"MDM"=2 (0x2)
"iPod Service"=3 (0x3)
"IntuitUpdateService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1c9ba4b94b36c70"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
cmdlreg      REG_SZ               c:\windows\system32\mqtgHost.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Charles\\Charles.exe"=
"c:\\Program Files\\Steam\\steamapps\\spiderstave\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Steam\\steamapps\\spiderstave\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"g:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/9/2010 12:55 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/18/2008 8:58 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/18/2008 8:58 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/19/2009 9:35 AM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/19/2009 9:35 AM 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1265264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [1/3/2008 3:20 PM 23288]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;c:\windows\system32\drivers\WMP300Nv1.sys [1/3/2009 2:57 PM 822400]
S3 ELECTRO;ELECTRO;c:\windows\system32\drivers\electro.sys [1/29/2010 8:15 PM 34260]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [3/29/2007 1:11 AM 21984]
S3 MADFU804;MADFU804;c:\windows\system32\drivers\MADFU804.sys [1/2/2008 5:23 PM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 gupdate1c9ba4b94b36c70;Google Update Service (gupdate1c9ba4b94b36c70);c:\program files\Google\Update\GoogleUpdate.exe [4/10/2009 7:16 PM 133104]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
S4 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [1/3/2009 2:57 PM 53307]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper      REG_MULTI_SZ         getPlusHelper
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 19:54]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 02:16]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-11 02:16]

2010-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-413027322-839522115-1003Core.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-18 14:30]

2010-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-413027322-839522115-1003UA.job
- c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-18 14:30]
------- Supplementary Scan -------
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\n4up01kb.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Luke\Local Settings\Application Data\Google\Update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\Adobe\Acrobat\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\\npGoogleOneClick8.dll

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BMUpdate - c:\windows\system32\BMUpdate.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKU-Default-Run-msiexec.exe - msiconf.exe
Notify-AtiExtEvent - (no file)
MSConfigStartUp-SkyTel - SkyTel.EXE
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe
AddRemove-3D Shadow by Lokas Software - c:\windows\AWuninstall.exe Software\Lokas Ltd\3D Shadow
AddRemove-Arturia Moog Modular V2 v1.0 - g:\progra~1\Arturia\MOOGMO~1\UNWISE.EXE
AddRemove-Native Instruments - Kore 2 Controller - g:\program files\Native Instruments\Kore 2 Controller\uninst.exe Software\Native Instruments\Kore 2 Controller\Setup
AddRemove-REAPER - c:\program files\REAPER\Uninstall.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Luke\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-10 12:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-436374069-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3AF4199-5D70-2237-8DE0-AEE4945063FE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)

@DACL=(02 0000)







@DACL=(02 0000)
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(896)

- - - - - - - > 'explorer.exe'(3996)
c:\program files\MozyHome\mozyshell.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
------------------------ Other Running Processes ------------------------
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\M-Audio\MobilePre\Install\MPInst.exe
c:\program files\MozyHome\mozybackup.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
Completion time: 2010-04-11  00:16:52 - machine was rebooted
ComboFix-quarantined-files.txt  2010-04-11 07:16

Pre-Run: 854,233,620,480 bytes free
Post-Run: 854,191,910,912 bytes free

[boot loader]
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows 3GB DAW" /noexecute=optin /fastdetect /3GB /userva=3030

- - End Of File - - 7D6D08657109F0DF837DF61062BF989E

Can you run a scan with Hitmanpro and note what is detected
Try running Internet Explorer without add-ons. Start then Run and enter iexplore -extoff
Go to google and test it. If it works as it should that means it's an add-on causing the problem. Go to Tools>Manage Add-ons and you should be able to find it then disable it.
Go ahead and run SDFIX, follow the instructions, im pretty sure you run that in safe mode, and do it just normal safemode, not safemode with networking. you dont want the virus downloading buddies.
you might also check your downloaded program files, delete all of those, turn off system restore, control panel, system, system restore tab, run a disk cleanup, delete all temp files,

C:\Windows\Downloaded Program Files
let me know
I'd advise against turning off system restore for the moment.
Harmless unless restored to a recent date but sometimes a restore is needed and a follow up cleanup :)
SpiderstaveAuthor Commented:
Stokerbritt - I ran SDFix, it did find 1 trojan and deleted it, but unfortunately the browser redirect is still happening. I went through and removed all programs in C:\Windows\Downloaded Program Files. I was about to follow your other instructions, but wanted to make sure I was clear that I should disable system restore. I went to do it, but it warned me that I would be deleting all system restore points, which worried me. Is this safe to do? Just want to make sure I'm following your instructions properly.

If so, I would disable system restore, then run a disk cleanup and delete all temp files?

Also, pasting my SDFix log below just to having everything here.

SFFix Log:                    

[b]SDFix: Version 1.240 [/b]
Run by Luke on Sun 04/11/2010 at 12:47 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

Restoring Default Security Values
Restoring Default Hosts File


[b]Checking Files [/b]:

Trojan Files Found:

C:\Program Files\Common Files\ides._sy - Deleted

Removing Temp Files

[b]ADS Check [/b]:

                                 [b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 01:00:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3AF4199-5D70-2237-8DE0-AEE4945063FE}]

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

[b]Remaining Services [/b]:

Authorized Application Key Export:

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"="C:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe:*:Enabled:WS_FTP Pro Application"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\FTP Commander\\Ftpcomm.exe"="C:\\Program Files\\FTP Commander\\Ftpcomm.exe:*:Enabled:Ftpcomm"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Charles\\Charles.exe"="C:\\Program Files\\Charles\\Charles.exe:*:Enabled:Charles Web Debugging Proxy"
"C:\\Program Files\\Steam\\steamapps\\spiderstave\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\spiderstave\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Steam\\steamapps\\spiderstave\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\spiderstave\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"="C:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe:*:Enabled:Empire: Total War"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"G:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="G:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM)"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"="C:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Java\\jre6\\bin\\java.exe"="C:\\Program Files\\Java\\jre6\\bin\\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe"="C:\\Program Files\\Common Files\\Intuit\\Update Service\\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[b]Remaining Files [/b]:

File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Thu 18 Sep 2008        77,312 ...H. --- "C:\Proposal&Contract\Bracelet.name\~WRL2688.tmp"
Thu 18 Sep 2008        78,336 ...H. --- "C:\Proposal&Contract\Bracelet.name\~WRL3275.tmp"
Tue  9 Sep 2008        80,896 ...H. --- "C:\Proposal&Contract\Bracelet.name\~WRL3422.tmp"
Tue 19 May 2009         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri  9 Apr 2010        34,282 ...H. --- "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe-CommandBars"
Mon  9 Jun 2008        73,728 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL1324.tmp"
Mon  9 Jun 2008        74,752 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL1523.tmp"
Mon  9 Jun 2008        74,752 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL1777.tmp"
Mon  9 Jun 2008        75,264 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL3058.tmp"
Mon  9 Jun 2008        74,240 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL3174.tmp"
Thu  9 Aug 2007        73,216 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL3818.tmp"
Mon  9 Jun 2008        74,752 ...H. --- "C:\Proposal&Contract\Esparza Advertising\Estimates\~WRL3912.tmp"
Sun 21 Jul 2002       418,816 ...HR --- "C:\WINDOWS\system32\Tools\All.exe"
Thu 18 Jul 2002       390,144 ...HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Fri 19 Jul 2002       574,464 ...HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Mon 19 Aug 2002       430,592 ...HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Mon 22 Jul 2002       390,656 ...HR --- "C:\WINDOWS\system32\Tools\DelFolders.exe"
Fri 22 Nov 2002       399,872 ...HR --- "C:\WINDOWS\system32\Tools\DirectSetup.exe"
Fri 19 Jul 2002       388,096 ...HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Fri 19 Jul 2002       388,608 ...HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Sun  1 Dec 2002       431,616 ...HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Fri 19 Jul 2002       388,096 ...HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Mon 31 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri  9 Apr 2010       183,808 A.SH. --- "C:\Documents and Settings\Luke\Local Settings\Application Data\562387286.dll"
Tue  8 Sep 2009        30,748 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0003.tmp"
Sun  4 Oct 2009        30,176 ...H. --- "C:\Documents and Settings\Luke\My Documents\Ideal Boy\~WRL0004.tmp"
Thu 10 Jan 2008       120,832 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL0171.tmp"
Fri 16 Nov 2007       114,176 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL1149.tmp"
Thu 10 Jan 2008       121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3003.tmp"
Thu 10 Jan 2008       121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3738.tmp"
Thu 10 Jan 2008       121,344 ...H. --- "C:\Websites\Suicide Squeeze\EPKs\Minus The Bear\~WRL3858.tmp"
Fri  2 May 2008     3,493,888 A..H. --- "C:\Documents and Settings\Luke\Application Data\U3\temp\Launchpad Removal.exe"


SpiderstaveAuthor Commented:
Optoma - Thanks for your post, I didn't see it when I asked stokerbritt if he was sure it was okay to disable it. If it won't cause any problems I'd feel safer leaving it enabled. Do you also think it's a good idea to run disk cleanup and delete all temp files?
Yes its safe to disable system restore, we do that because the virus/spyware hides in there also, and if you ever do a system restore after we clean it, it will come back,
yes please try to clear up any temp files,
Here is a list of files that are related to the virus you had, makes sure they have been deleted,
note: you may have to do show hidden files, or system protected files to see them

Windows XP:

c:\Documents and Settings\All Users\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\ave.exe
%UserProfile%\Local Settings\Application Data\QJyrk5wvCU1
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\Local Settings\Temp\QJyrk5wvCU1
SpiderstaveAuthor Commented:
Stokerbritt - Okay, thanks for your help, I will disable system restore, run disk cleanup and delete all temp files.

Optoma - I downloaded HitmanPro and ran it, and it did find 2 files none of the other scans did, but it did not produce a log for me to post, and I couldn't find any option to produce a log.
SpiderstaveAuthor Commented:
Stokerbritt - Okay, I ran a Disk Cleanup with system restore off, but there aren't really any temp files left. The list looks like this:

Downloaded Program Files - 0 KB
Temporary Internet Files - 127 KB
Old Chkdsk files - 25 KB
Recycle Bin - 0 KB
Setup Log Files - 2,654 KB
Temporary files - 0 KB
WebClient/Publisher Temporary Files - 32 KB
Compress old files - 48,193,05 KB
Catalog files for the Content Indexer - 0 KB

By default the only items checked are "Downloaded Program Files" and "Temporary Internet Files". Should I clear these? Are there any other items I should delete?
Hi again,
Try Hitmanpro scan which I mentioned above.
Only takes few minutes to run :)
also do a search for  "msiconf.exe" that file is a known virus file, i saw it in your hijack this logs, if you find it, look at its date created/modified, if its with the past few days, and it doesnt have a description, it may be part of the virus
Sorry didn't refresh page :(

Open Hitmanpro, hit settings and history tab to view what was removed
You can go ahead and dump, the temp files, dont bother with the rest right now,
SpiderstaveAuthor Commented:
optoma - HitManPro files removed:

SWFDecompiler.exe - C:\Program Files\SourceTec\Sothink SWF Decompiler\ - Deleted

562387286.dll - C:\Documents and settings\Luke\Local Settings\Application Data\ - Quarantined

stokerbritt - I'll do a search for msiconf.exe.

Any other ideas? This thing is a bugger!
download this tool
run a full scan, might take a bit, also did you run a full scan with malware bytes? make sure all scanners are updated complelely,
other than the browser hijacker, are you getting any weird popups?
this a little like a needle in a hay stack, but hang in there and we will be able to get it,
SpiderstaveAuthor Commented:
stokerbritt - Okay, I will download that tool and conduct a full scan.

I have not done a full scan with malewarebytes, only a "Smart Scan". Should I do a full scan? Should it be in safe mode?

Also, I have 3 hard drives. When I run full scans, do I need to scan all 3 hard drives or only my OS hard drive? I ran a full system scan with SUPERAntiSpyware and it took almost 20 hours to scan all drives. The other 2 drives are almost exclusively storage, and don't really have any programs installed on them.

Thanks for your help!
SpiderstaveAuthor Commented:
stokerbritt - I searched my C:\ drive for msiconf.exe and didn't find anything. There is 1 entry in my registry for "msiconf.exe". Should I consider removing that registry item?
Ok, thanks :)
Is redirects happening in both firefox + Ie explorer?

Check the hosts file again for extra entries
Show all files first
Yes Definetely run the fulls can will malware bytes, and the full scan with norman malware removal,
then remove anything they find, then reboot.
SpiderstaveAuthor Commented:
Showed all hidden files... checked hosts file and the only entry is: localhost

Yes, re-direct is happening in both Internet Explorer and Firefox. When I perform a Google search the first time I click on a link it's fine, but the second time it always re-directs to a bad URL.
SpiderstaveAuthor Commented:
stokerbritt - Okay, I will run full systems scans in safe mode on all 3 drives with both malwarebytes and Norman Malware Cleaner. Will post again with results as soon as they are done, will probably be awhile.
If you want to try this first as will only take a min or so

Fix these entries in Hijackthis:

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')O18 - Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-318f769797ad} - C:\WINDOWS\system32\mst122.dllO20 - AppInit_DLLs: karna.dat kjkvbv.dll

Then run Tdsskiller

Reboot and testIf you want to try this first as will only take a min or so

Fix  these entries in Hijackthis:

O4 -  HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe]  msiconf.exe (User 'Default user')

O18 -  Filter hijack: text/html - {b19e43c3-ba34-45e4-8298-318f769797ad} -  C:\WINDOWS\system32\mst122.dll

O20 -  AppInit_DLLs: karna.dat kjkvbv.dll
 Then run Tdsskiller
 Reboot and test
SpiderstaveAuthor Commented:
optoma - Thanks for the info! What do you mean by "fix these entries"? Just delete those files, or remove them from the registry or?

Re run hijackthis and check the boxes relevant to above entries and select "fix checked"
SpiderstaveAuthor Commented:
optoma - Ran HijackThis again and none of the files you listed were present any longer. I believe some of the scans I ran removed them.

Also, I ran TDDSKiller, it did find one infection "nvata.sys", but I googled it and that is actually the driver for my video card, so I believe that was a false positive.

I guess all that is left is to run full system scans with Malwarebytes and Norman Maleware Cleaner? If that doesn't work I guess I just have to reinstall my OS? This is so close to being fixed, it's just the browser redirect trojan that I can't find :(
Create a system restore point first.

Run Tdsskiller again and let it clean the driver.

Rootkits infect system drivers and redirects can be a result
SpiderstaveAuthor Commented:
optoma - I ran TDDSKiller again, but it won't cure the file. It says this:

Scanning Kernel memory...
Driver "nvata" infected by TDSS rootkit!
File "C:\WINDOWS\system32\DRIVERS\nvata.sys" infected by TDSS rootkit ... cure failed


Memory objects infected / cured / cured on reboot: 1 / 0 / 0
Registry objects infected / cured /cured on reboot: 0 / 0 / 0
File objects infected / cured / cured on reboot: 1 / 0 / 0

Any ideas on what to do with this file?
It can't cure it as it cant find a non-infected replacement

Do a system search and check to search everywhere, ie system files etc for nvata.sys

What make and model is machine?
SpiderstaveAuthor Commented:
Performed a search and only found 1 version at C:\WINDOWS\system32\drivers

The machine is a PC that I built myself. The MOBO is an nFORCE 570-SLIT-A, the video card is an NVIDIA GeForce 9600.
This may work.
>>>>>Create a system restore point again!

Boot into safe mode with networking and download the Nvidia motherboard package
and re/install it or download it on another machine and see if it installs in safe mode with networking.

It may overwrite the infected one.

If that completes run Tdsskiller again
SpiderstaveAuthor Commented:
Two questions:

1) How do I manually create a new system restore point? I know how to turn on system restore so that it monitors the drives, but I'm not sure how to force it to create a restore point.

2) I have the nVIDIA motherboard disc. Can I just use that and/or could I just search the CD for nvata.sys?

Thanks again for your help!

SpiderstaveAuthor Commented:
Just a heads up, I found the exact same file (nvata.sys) on the mobo disc. Same file size, same last modified date (4/24/2006 2:52 AM).
Start,programs,accessories,system tools, system restore
Should be option to create a restore point.

Yeah cd may also work.

>If you find nvata.sys on cd, copy and paste it into C:\WINDOWS\system32\dllcache
Then re run Tdsskiller

>Otherwise run the setup
Ok copy it to dllcache and run Tdsskiller.
Post its logfile after!
SpiderstaveAuthor Commented:
Replaced nvata.sys from the manufacturer's CD, re-ran TDDSKiller and it's still thinking that file is infected.
Did you place it in dllcache?
SpiderstaveAuthor Commented:
oh, I'm sorry, I missed that. I replaced it in system32/drivers, and I placed it in system32/dllcache. Note that it was not in dllcache previously.

I re-ran TDSSKiller and it said the exact same thing as I posted above.
If you can reach virustotal upload both files and note how many hits they get.
I havn't see Tdsskiller detect a false positive before :(

.I haven't check at all the logs... as my connection is terribly bad - disconnected every few minutes.

If the problem still exists:
Can you please run Gmer again but make sure that "Sections" box is checked.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..

In the right panel, you will see several boxes that have been checked.
Ensure the following are UNCHECKED:
*Drives/Partition other than Systemdrive (typically C:\)
*Show All (don't miss this one)

Then click the Scan button & wait for it to finish.

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
Hi Rpg, the right person at the right time ;)
Hi optoma,
I'm on Holiday with a REALLY bad connection.... sometimes only last 45 seconds and I'm cut off.
I just want to check the Gmer log that I asked and if I find something then it's all to you guys.
SpiderstaveAuthor Commented:
rpggamergirl - Wow, thanks for helping out on your holiday. Much appreciated!

I ran Gmer per your specifications, and while it was running I left the room for about 30 mionutes. When I returned my machine was at the XP logon screen, apparently the system had rebooted. I opened Gmer again, but there was no option to view a log and it doesn't appear that one was created.

Is it expected for the machine to re-boot? Should I try to run another scan?

No problem, :)
Try another scan please.
You need to save the log, make sure no other programs that are running during the scan.
If Gmer hangs, alternatively you can use this tool ,though I prefer to analyze a Gmer log:
[*]Save it to your Desktop
[*]Click ->> Extract all ->> And extract it to your Desktop
[*]Open the File Lister Folder.
[*]Note: Leave the FileLister.vbe file in the folder and run it from there.
[*]Right Click FileLister.vbe ->>Select Open. Then Open to confirm.
[*]When the program is finished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
Would running Gmer in safe mode produce accurate results?

Nice to see you helping out, even though you're on Hol's with a bad connection..
Helpful dedication! ;)
"Would running Gmer in safe mode produce accurate results"?

Not really because rootkits that are not active in safe mode will not be detected.

"Nice to see you helping out, even though you're on Hol's with a bad connection.".
I guess EE is too addictive lol.... and it's a pleasure IF I can be of some help, :)
Ah, I thought that once a .sys file is modified, it wouldn't matter.

I'd be the same with EE on Hols, although would probably get an ear bashing for doing so!

Anyway, have a nice break!
SpiderstaveAuthor Commented:
Just an update, running another full scan of Gmer. Was having problems last night, for some reason my CPU kept spiking. Ran Malewarebytes again and it removed 1 infection, and the system is running better now. Re-running the scan, it's just taking forever to scan my hard drive :P Too many files.
All you can do is let it roll!
When it completes can you post Mbam's logfile as well
If Gmer hangs or having problem scanning, you can uncheck one of the Options - uncheck the "Files" box and it usually fix scan issues.
SpiderstaveAuthor Commented:
rpggamergirl - Thanks for letting me know! I'd been trying to run Gmer scans all day yesterday, but it kept locking up half way through the "Files" scan. Below is my Gmer log with "Files" unchecked, as well as the other parameters you listed.

Gmer Log:

GMER - http://www.gmer.net
Rootkit scan 2010-04-13 09:53:50
Windows 5.1.2600 Service Pack 3
Running: 9eqd9ogk.exe; Driver: C:\DOCUME~1\Luke\LOCALS~1\Temp\ufldapoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                                                                                               section is writeable [0xB76CC360, 0x32E00D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text           C:\WINDOWS\Explorer.EXE[772] ntdll.dll!NtProtectVirtualMemory                                                                                                                          7C90D6D0 5 Bytes  JMP 00B6000A
.text           C:\WINDOWS\Explorer.EXE[772] ntdll.dll!NtWriteVirtualMemory                                                                                                                            7C90DF90 5 Bytes  JMP 00C0000A
.text           C:\WINDOWS\Explorer.EXE[772] ntdll.dll!KiUserExceptionDispatcher                                                                                                                       7C90E45C 5 Bytes  JMP 00B5000C
.text           C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtProtectVirtualMemory                                                                                                                 7C90D6D0 5 Bytes  JMP 0099000A
.text           C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!NtWriteVirtualMemory                                                                                                                   7C90DF90 5 Bytes  JMP 009A000A
.text           C:\WINDOWS\System32\svchost.exe[1168] ntdll.dll!KiUserExceptionDispatcher                                                                                                              7C90E45C 5 Bytes  JMP 0098000C
.text           C:\WINDOWS\system32\SearchIndexer.exe[3444] kernel32.dll!WriteFile                                                                                                                     7C810E17 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text           C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtProtectVirtualMemory                                                                                                                 7C90D6D0 5 Bytes  JMP 0099000A
.text           C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!NtWriteVirtualMemory                                                                                                                   7C90DF90 5 Bytes  JMP 009A000A
.text           C:\WINDOWS\system32\wuauclt.exe[3484] ntdll.dll!KiUserExceptionDispatcher                                                                                                              7C90E45C 5 Bytes  JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                                 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                                                                 mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                                                               avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                                                              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                                                 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                                                 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                                                                 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                                                                 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                                                                 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                                                                 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                                                                 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                                                                 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                                                                 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                                                              avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                                                            avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SOFTWARE\Classes\.bcp\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.cc\PersistentHandler@                                                                                                                                           {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.cod\PersistentHandler@                                                                                                                                          {098f2470-bae0-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.dsp\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.dsw\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.i\PersistentHandler@                                                                                                                                            {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.inl\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.lst\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.mak\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.map\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.mk\PersistentHandler@                                                                                                                                           {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.odh\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.odl\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.pps\PersistentHandler@                                                                                                                                          {98de59a0-d175-11cd-a7bd-00006b827d94}
Reg             HKLM\SOFTWARE\Classes\.prc\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.rc2\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.rct\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.rgs\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.rtf\PersistentHandler@                                                                                                                                          {2e2294a9-50d7-4fe7-a09f-e6492e185884}
Reg             HKLM\SOFTWARE\Classes\.s\PersistentHandler@                                                                                                                                            {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.tlh\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.tli\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.trg\PersistentHandler@                                                                                                                                          {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.user\PersistentHandler@                                                                                                                                         {eec97550-47a9-11cf-b952-00aa0051fe20}
Reg             HKLM\SOFTWARE\Classes\.vcproj\PersistentHandler@                                                                                                                                       {eec97550-47a9-11cf-b952-00aa0051fe20}
Reg             HKLM\SOFTWARE\Classes\.vspscc\PersistentHandler@                                                                                                                                       {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.vsscc\PersistentHandler@                                                                                                                                        {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.vssscc\PersistentHandler@                                                                                                                                       {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg             HKLM\SOFTWARE\Classes\.xsd\PersistentHandler@                                                                                                                                          {7E9D8D44-6926-426F-AA2B-217A819A5CCE}
Reg             HKLM\SOFTWARE\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}@SE4K5INHHR1EDZYY15BVZC6TKG1              0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{18D6E519-4C27-E4AD-074C5D1F171B40FB}\{8D7A772B-93EE-6905-4C751BA1B544AFC9}\{7029C73E-0020-BA9C-F3FADF03D99AF0E6}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1  0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{551E7168-6B6B-73F4-2358001EBB1BFA13}\{9EB39097-9AF5-4CC7-A66D04881D6D8211}\{B54D5FC9-25C8-0FB7-F96BD94B39BD18AF}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{551E7168-6B6B-73F4-2358001EBB1BFA13}\{9EB39097-9AF5-4CC7-A66D04881D6D8211}\{B54D5FC9-25C8-0FB7-F96BD94B39BD18AF}@SE4K5INHHR1EDZYY15BVZC6TKG1              0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1  0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{B3A3A58F-967E-A40A-C7DDFB524B0CDFB3}\{B28E8422-363F-1C4B-CC056478281B7FCE}\{569EFB20-10B3-C9F5-895B6A19B8852344}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1  0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\CLSID\{FCCB8240-DCE2-E75D-AC14FD41A6B697E0}\{CCBBBFAF-D782-4243-9A223EC5C9E9D74B}\{381F6F0A-6948-72AB-150979187EC28E60}                                          
Reg             HKLM\SOFTWARE\Classes\CLSID\{FCCB8240-DCE2-E75D-AC14FD41A6B697E0}\{CCBBBFAF-D782-4243-9A223EC5C9E9D74B}\{381F6F0A-6948-72AB-150979187EC28E60}@SE4K5INHHR1EDZYY15BVZC6TKG1              0x01 0x00 0x01 0x00 ...
Reg             HKLM\SOFTWARE\Classes\mapi\Shell@                                                                                                                                                      
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3AF4199-5D70-2237-8DE0-AEE4945063FE}                                                                        
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3AF4199-5D70-2237-8DE0-AEE4945063FE}@iaeafppahhfgcgdcbk                                                     0x6A 0x61 0x68 0x66 ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B3AF4199-5D70-2237-8DE0-AEE4945063FE}@hakahegjljkhamag                                                       0x6A 0x61 0x6A 0x66 ...

---- EOF - GMER 1.0.15 ----
SpiderstaveAuthor Commented:
Oh, and one other question, or I can create a new questions if that's better. If my old XP drive is mounted as a slave drive to my Windows 7 install, do I have to worry about the rootkit trojan infecting Windows 7?
optomaConnect With a Mentor Commented:
Yeah, you can close it and accept your own comment as solution.
If you want you can accept assisted solutions as well but it dosn't really matter!

You should be ok if just copying your data.
To be on the safe side though, when drive is slaved run a scan on it with Anti-Virus product.

If you sticking with a free Av I tend to go for Avast free

Or if you are considering a paid AV , Eset Nod32 >cant find 30 trial for Win 7 though!
rpggamergirlConnect With a Mentor Commented:
"do I have to worry about the rootkit trojan infecting Windows 7?"
It should be okay, it's when you open or execute files that infection spreads. Just scan those files after you transfered them if you don't scan the slaved drive.

There are many ways to close a question, you can have your question deleted, Accept your own comment as Solution etc., you don't have to award points, it's all up to you.

How do I close a question?
All Courses

From novice to tech pro — start learning today.