1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Redirect Virus on Windows 7 Machine

Discussion in 'Malware and Virus Removal Archive' started by gsmith7712, 2010/01/09.

Page 1 of 3
  1. 2010/01/09
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    [Active] Redirect Virus on Windows 7 Machine

    Here are the results of the scans. Thanks for your help!

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Owner at 17:38:56.60 on Fri 01/08/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2812.1258 [GMT -8:00]


    ============== Running Processes ===============

    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\system32\atiesrxx.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\atieclxx.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\TECO\TecoService.exe
    C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\taskhost.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\System32\rundll32.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\TECO\TEco.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\windows\system32\taskeng.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    C:\Users\Owner\AppData\Roaming\Juniper Networks\Setup Client\JuniperSetupClient.exe
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\windows\system32\svchost.exe -k SDRSVC
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\DAP\DAP.EXE
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\Users\Owner\Downloads\dds.scr
    C:\windows\system32\conhost.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: MRI_DISABLED - No File
    BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
    TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
    uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE "
    mRun: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe "
    mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
    mRun: [<NO NAME>]
    mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
    IE: &Download with &DAP - c:\program files\dap\dapextie.htm
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxp://genell.gene.com/support/webedit/lledit.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
    AppInit_DLLs: acaptuser32.dll c:\progra~1\google\google~1\GO36F4~1.DLL
    mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\ecaq50ry.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
    FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\owner\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071505000011.dll

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-12-18 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-12-18 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-12-18 482432]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100106.001\IDSvix86.sys [2010-1-8 343088]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-9-22 176128]
    R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
    R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-12-18 117640]
    R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-18 102448]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-9-22 7680]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-12-31 189440]
    R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-12-18 48688]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-31 30192]
    S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-9-22 51512]
    S3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]

    =============== Created Last 30 ================

    2010-01-09 01:27:58 0 d-----w- c:\users\owner\appdata\roaming\Uniblue
    2010-01-09 00:37:12 0 d-----w- c:\users\owner\dwhelper
    2010-01-05 01:34:33 0 d-----w- c:\program files\Desktop Defender 2010
    2010-01-03 19:27:20 0 d-----r- c:\program files\Norton Support
    2010-01-03 12:05:52 1114112 ----a-w- c:\windows\system32\AVR10.exe
    2010-01-02 23:21:53 73216 ----a-w- c:\windows\system32\RTEEL32A.dll
    2010-01-02 23:21:53 59392 ----a-w- c:\windows\system32\RTEEG32A.dll
    2010-01-02 23:21:53 551456 ----a-w- c:\windows\system32\RTSndMgr.cpl
    2010-01-02 23:21:53 53280 ----a-w- c:\windows\system32\RtkCoInst.dll
    2010-01-02 23:21:53 347648 ----a-w- c:\windows\system32\RTEEP32A.dll
    2010-01-02 23:21:53 338464 ----a-w- c:\windows\system32\RtkApoApi.dll
    2010-01-02 23:21:53 2965536 ----a-w- c:\windows\system32\RtkAPO.dll
    2010-01-02 23:21:53 2760224 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
    2010-01-02 23:21:53 164864 ----a-w- c:\windows\system32\RTEED32A.dll
    2010-01-02 23:21:53 1292832 ----a-w- c:\windows\system32\RtkPgExt.dll
    2010-01-02 23:21:52 266752 ----a-w- c:\windows\system32\FMAPO.dll
    2009-12-31 19:15:08 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
    2009-12-31 19:15:08 189440 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
    2009-12-31 19:05:50 0 d-----w- c:\users\owner\appdata\roaming\DriverCure
    2009-12-31 19:05:25 0 d-----w- c:\programdata\ParetoLogic
    2009-12-31 19:05:25 0 d-----w- c:\programdata\DriverCure
    2009-12-31 19:05:25 0 d-----w- c:\program files\ParetoLogic
    2009-12-31 19:05:25 0 d-----w- c:\program files\common files\ParetoLogic
    2009-12-31 18:43:31 0 d-----w- c:\windows\pss
    2009-12-30 22:11:17 0 d-----w- c:\program files\common files\xing shared
    2009-12-30 22:10:58 0 d-----w- c:\programdata\Real
    2009-12-30 22:10:58 0 d-----w- c:\program files\common files\Real
    2009-12-30 03:41:13 0 d-----w- c:\program files\Microsoft Visual Studio 8
    2009-12-30 01:43:59 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
    2009-12-30 01:43:58 46928 ----a-r- c:\windows\system32\AdobePDF.dll
    2009-12-30 01:12:57 111992 ----a-w- c:\windows\system32\acaptuser32.dll
    2009-12-30 01:03:57 0 d-----w- c:\program files\common files\Macrovision Shared
    2009-12-30 00:44:08 944797 ----a-w- c:\users\owner\Microsoft office 7.exe
    2009-12-30 00:35:45 0 d-----w- c:\users\owner\Adobe_GS
    2009-12-29 02:06:51 0 d-----w- c:\program files\Belarc
    2009-12-27 19:30:40 74752 --sha-w- c:\users\owner\Thumbs.db
    2009-12-27 19:01:30 70546 ----a-w- c:\users\owner\Vineyard1.JPG
    2009-12-27 19:01:30 64252 ----a-w- c:\users\owner\Vineyard2.JPG
    2009-12-27 19:01:29 70697 ----a-w- c:\users\owner\Vineyard3.JPG
    2009-12-27 19:01:29 15605 ----a-w- c:\users\owner\plonkerplans.jpg
    2009-12-26 22:57:59 0 d-----w- c:\windows\system32\N360_BACKUP
    2009-12-26 22:44:34 0 d-sh--w- c:\windows\BitLockerDiscoveryVolumeContents
    2009-12-26 22:44:34 0 d-----w- c:\windows\RemotePackages
    2009-12-26 22:43:29 51867 ----a-w- c:\windows\Ultimate.xml
    2009-12-26 22:12:44 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2009-12-26 21:18:30 0 d-----w- c:\programdata\FLEXnet
    2009-12-26 20:24:25 0 d-----w- c:\program files\Keygen
    2009-12-26 20:17:27 0 d---a-w- c:\programdata\TEMP
    2009-12-26 20:17:21 0 d-----w- c:\programdata\SpeedBit
    2009-12-26 20:17:18 50688 ----a-w- c:\windows\system32\wbhelp2.dll
    2009-12-26 20:17:18 479298 ----a-w- c:\windows\system32\wbocx.ocx
    2009-12-26 20:17:18 172032 ----a-w- c:\windows\system32\AniGIF.ocx
    2009-12-26 20:17:17 0 d-----w- c:\program files\DAP
    2009-12-24 03:35:33 0 d-----w- c:\program files\VideoLAN
    2009-12-24 01:36:31 0 d-----w- c:\users\owner\appdata\roaming\AVS4YOU
    2009-12-24 01:36:29 0 d-----w- c:\programdata\AVS4YOU
    2009-12-24 01:35:41 0 d-----w- c:\program files\common files\AVSMedia
    2009-12-24 01:35:38 974848 ----a-w- c:\windows\system32\mfc70.dll
    2009-12-24 01:35:38 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2009-12-24 01:35:38 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2009-12-24 01:35:37 24576 ----a-w- c:\windows\system32\msxml3a.dll
    2009-12-24 01:35:37 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
    2009-12-24 01:35:37 0 d-----w- c:\program files\AVS4YOU
    2009-12-24 01:25:03 178176 ----a-w- c:\windows\system32\unrar.dll
    2009-12-24 01:25:02 38 ----a-w- c:\windows\avisplitter.ini
    2009-12-24 01:25:01 839680 ----a-w- c:\windows\system32\lameACM.acm
    2009-12-24 01:25:01 414 ----a-w- c:\windows\system32\lame_acm.xml
    2009-12-24 01:25:01 217088 ----a-w- c:\windows\system32\yv12vfw.dll
    2009-12-24 01:25:01 118784 ----a-w- c:\windows\system32\ac3acm.acm
    2009-12-24 01:25:00 881664 ----a-w- c:\windows\system32\xvidcore.dll
    2009-12-24 01:25:00 205824 ----a-w- c:\windows\system32\xvidvfw.dll
    2009-12-24 01:24:59 90112 ----a-w- c:\windows\system32\dpl100.dll
    2009-12-24 01:24:59 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
    2009-12-24 01:24:57 685056 ----a-w- c:\windows\system32\divx.dll
    2009-12-24 01:24:55 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-12-24 01:24:55 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
    2009-12-24 01:24:52 0 d-----w- c:\program files\K-Lite Codec Pack
    2009-12-20 18:03:14 0 d-----w- c:\program files\Free Offers from Freeze.com
    2009-12-20 01:12:52 0 d-----w- c:\program files\Audible
    2009-12-20 00:55:24 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-12-20 00:55:24 0 d-----w- c:\program files\iTunes
    2009-12-20 00:55:24 0 d-----w- c:\program files\iPod
    2009-12-20 00:54:39 0 d-----w- c:\program files\Bonjour
    2009-12-20 00:54:11 0 d-----w- c:\programdata\Apple Computer
    2009-12-20 00:53:10 0 d-----w- c:\programdata\Apple
    2009-12-19 16:47:31 0 d-----w- c:\users\owner\appdata\roaming\BitTorrent
    2009-12-19 16:47:19 0 d-----w- c:\program files\BitTorrent
    2009-12-19 05:57:36 0 d-----w- c:\programdata\Symantec
    2009-12-18 23:56:59 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-12-18 23:56:59 107368 ----a-r- c:\windows\system32\GEARAspi.dll
    2009-12-18 23:56:56 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
    2009-12-18 23:56:54 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2009-12-18 23:56:54 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2009-12-18 23:56:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-12-18 23:56:54 0 d-----w- c:\program files\Symantec
    2009-12-18 23:56:54 0 d-----w- c:\program files\common files\Symantec Shared
    2009-12-18 23:56:24 0 d-----w- c:\windows\system32\drivers\N360
    2009-12-18 23:56:23 0 d-----w- c:\program files\Norton 360
    2009-12-18 23:55:37 0 d-----w- c:\program files\NortonInstaller
    2009-12-18 23:45:36 0 d-----w- c:\programdata\Symantec Temporary Files
    2009-12-18 23:08:54 257024 ----a-w- c:\windows\system32\msv1_0.dll
    2009-12-18 23:08:23 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-12-18 23:06:55 0 d-----w- c:\program files\MSXML 4.0
    2009-12-18 22:01:13 376 ----a-w- c:\windows\ODBC.INI
    2009-12-18 20:59:20 0 --sha-w- C:\ProgramData.LOG2
    2009-12-18 20:59:20 0 --sha-w- C:\ProgramData.LOG1
    2009-12-18 20:48:06 398632 ----a-w- c:\windows\system32\dsNcSmartCardProv.dll
    2009-12-18 20:48:06 345384 ----a-w- c:\windows\system32\dsNcCredProv.dll
    2009-12-18 20:47:59 34816 ----a-w- c:\windows\system32\msasn1.dll
    2009-12-18 20:47:50 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2009-12-18 20:47:50 2613248 ----a-w- c:\windows\explorer.exe
    2009-12-18 20:47:50 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
    2009-12-18 20:47:49 507568 ----a-w- c:\windows\system32\winload.exe
    2009-12-18 20:47:48 71168 ----a-w- c:\windows\system32\fontsub.dll
    2009-12-18 20:47:48 108544 ----a-w- c:\windows\system32\t2embed.dll
    2009-12-18 20:47:47 442920 ----a-w- c:\windows\system32\winresume.exe
    2009-12-18 20:47:47 293888 ----a-w- c:\windows\system32\atmfd.dll
    2009-12-18 20:47:46 12625408 ----a-w- c:\windows\system32\wmploc.DLL
    2009-12-18 20:47:11 0 d-----w- c:\program files\Juniper Networks
    2009-12-18 20:46:21 0 d-----w- c:\users\owner\appdata\roaming\Juniper Networks

    ==================== Find3M ====================

    2009-12-30 22:11:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2009-12-30 22:11:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2009-11-19 21:39:09 13 --sh--r- c:\windows\system32\drivers\fbd.sys
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 17:39:52.74 ===============

    Attach

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/19/2009 1:37:56 PM
    System Uptime: 1/8/2010 11:33:17 AM (6 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: AMD Athlon(tm) II Dual-Core M300 | Socket S1G3 | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 289 GiB total, 251.191 GiB free.
    D: is CDROM ()
    E: is FIXED (FAT32) - 112 GiB total, 17.316 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP18: 12/30/2009 9:35:33 AM - Configured TOSHIBA HDD/SSD Alert
    RP19: 12/30/2009 2:43:56 PM - Windows Modules Installer
    RP21: 12/31/2009 11:13:24 AM - Realtek Realtek PCIe FE Family Controller
    RP22: 1/2/2010 2:51:32 PM - 1-Click-Optimizer
    RP23: 1/2/2010 2:54:05 PM - SpeedOptimizer - Networking optimization
    RP25: 1/2/2010 3:21:16 PM - Realtek Realtek High Definition Audio
    RP27: 1/2/2010 3:45:40 PM - 7-ZIP 7-Zip 4.57
    RP28: 1/4/2010 5:33:44 PM - Last good restore point
    RP29: 1/4/2010 5:34:00 PM - Last good restore point

    ==== Installed Programs ======================

    7-Zip 4.65
    Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
    Adobe Acrobat 9.2.0 - CPSID_50026
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Presenter 7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Install Manager
    Audible Download Manager
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    Belarc Advisor 8.1
    BitTorrent
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Compatibility Pack for the 2007 Office system
    Desktop Defender 2010
    Download Accelerator Plus (DAP)
    Google Chrome
    Google Desktop
    iTunes
    Java(TM) 6 Update 14
    Juniper Networks Network Connect 6.4.0
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Junk Mail filter update
    K-Lite Mega Codec Pack 5.5.1
    Label@Once 1.0
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Move Media Player
    Mozilla Firefox (3.5.6)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 and SOAP Toolkit 3.0
    MyToshiba
    NetZero Launcher
    Norton 360
    ParetoLogic DriverCure
    PlayReady PC Runtime x86
    Quickbooks Financial Center
    QuickTime
    Realtek Ethernet Controller Driver For Windows Vista and Later
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    Realtek WLAN Driver
    Skype Launcher
    SnagIt 7
    Synaptics Pointing Device Driver
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA eco Utility
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA HDD/SSD Alert
    Toshiba Online Backup
    TOSHIBA PC Health Monitor
    TOSHIBA Recovery Media Creator
    TOSHIBA Service Station
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Value Added Package
    ToshibaRegistration
    VLC media player 0.9.2
    WildTangent Games
    Windows 7 Upgrade Advisor
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer

    ==== Event Viewer Messages From Past Week ========

    1/8/2010 7:44:32 AM, Error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 192.168.1.66. The computer with the IP address 192.168.1.65 did not allow the name to be claimed by this computer.
    1/8/2010 7:14:20 AM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
    1/8/2010 7:14:20 AM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    1/8/2010 7:00:27 AM, Error: Schannel [36887] - The following fatal alert was received: 20.
    1/8/2010 5:14:44 AM, Error: Schannel [36887] - The following fatal alert was received: 40.
    1/8/2010 5:06:43 AM, Error: Schannel [36888] - The following fatal alert was generated: 10. The internal error state is 10.
    1/8/2010 11:35:20 AM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    1/8/2010 11:34:13 AM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    1/8/2010 11:34:13 AM, Error: atikmdag [43029] - Display is not active
    1/5/2010 7:18:08 PM, Error: Schannel [36887] - The following fatal alert was received: 50.
    1/3/2010 4:06:05 AM, Error: Service Control Manager [7000] - The 1394 OHCI Compliant Host Controller service failed to start due to the following error: A device attached to the system is not functioning.
    1/3/2010 12:45:01 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume TI103426W0D.

    ==== End Of File ===========================
     
    gsmith7712,
    #1
  2. 2010/01/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What browser is getting redirected?
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/01/09
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Both IE and Firefox
     
    gsmith7712,
    #3
  5. 2010/01/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2010/01/10
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Below are the logs from the above scans:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/09/2010 at 12:58 PM

    Application Version : 4.33.1000

    Core Rules Database Version : 4462
    Trace Rules Database Version: 2283

    Scan type : Quick Scan
    Total Scan Time : 00:20:29

    Memory items scanned : 358
    Memory threats detected : 0
    Registry items scanned : 622
    Registry threats detected : 1
    File items scanned : 58501
    File threats detected : 1

    Trojan.Agent/Gen
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#winupdate86.exe [ C:\windows\system32\winupdate86.exe ]

    Trojan.Dropper/SVCHost-Fake
    C:\WINDOWS\TEMP\YHHA.TMP\SVCHOST.EXE

    -----

    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    1/9/2010 2:16:38 PM
    mbam-log-2010-01-09 (14-16-38).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 218346
    Time elapsed: 54 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\AVR10.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OLOY14IT\SetupIS2010[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    ---

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-01-10 10:08:37
    Windows 6.1.7600
    Running: upl0gnxj.exe; Driver: C:\Users\Owner\AppData\Local\Temp\pgrcapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86F8A0B0 ZwAlertResumeThread
    SSDT 86F84498 ZwAlertThread
    SSDT 86FD8130 ZwAllocateVirtualMemory
    SSDT 86E359A8 ZwAlpcConnectPort
    SSDT 86FBAD40 ZwAssignProcessToJobObject
    SSDT 86FDF6B8 ZwCreateMutant
    SSDT 86FE4CF8 ZwCreateSymbolicLinkObject
    SSDT 86FC40C0 ZwCreateThread
    SSDT 86FE31D0 ZwCreateThreadEx
    SSDT 86FAF620 ZwDebugActiveProcess
    SSDT 86FD8348 ZwDuplicateObject
    SSDT 86FD9A50 ZwFreeVirtualMemory
    SSDT 86F92048 ZwImpersonateAnonymousToken
    SSDT 86F8B3D8 ZwImpersonateThread
    SSDT 86E145E0 ZwLoadDriver
    SSDT 86FD98F0 ZwMapViewOfSection
    SSDT 86FA44B0 ZwOpenEvent
    SSDT 86FD85E8 ZwOpenProcess
    SSDT 86D64068 ZwOpenProcessToken
    SSDT 86FAD048 ZwOpenSection
    SSDT 86FD8498 ZwOpenThread
    SSDT 86FE39B0 ZwProtectVirtualMemory
    SSDT 86F6D8A0 ZwResumeThread
    SSDT 86F81D98 ZwSetContextThread
    SSDT 86FD9658 ZwSetInformationProcess
    SSDT 86FADCD0 ZwSetSystemInformation
    SSDT 86FA8048 ZwSuspendProcess
    SSDT 86F824E8 ZwSuspendThread
    SSDT 86F6FD80 ZwTerminateProcess
    SSDT 86F817B0 ZwTerminateThread
    SSDT 86F52218 ZwUnmapViewOfSection
    SSDT 86FD9D60 ZwWriteVirtualMemory

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83447AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83447104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834473F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834302D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342F898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834471DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83447958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834476F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83447F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834481A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83060579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83084F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 224 8308C724 8 Bytes [B0, A0, F8, 86, 98, 44, F8, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 23C 8308C73C 4 Bytes [30, 81, FD, 86]
    .text ntkrnlpa.exe!RtlSidHashLookup + 248 8308C748 4 Bytes [A8, 59, E3, 86] {TEST AL, 0x59; JECXZ 0xffffffffffffff8a}
    .text ntkrnlpa.exe!RtlSidHashLookup + 29C 8308C79C 4 Bytes [40, AD, FB, 86]
    .text ntkrnlpa.exe!RtlSidHashLookup + 318 8308C818 4 Bytes [B8, F6, FD, 86]
    .text ...
    .text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AF22000, 0x3C849, 0xE8000020]
    .dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AF67000, 0x3DC, 0x48000040]
    .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9401F000, 0x2D5526, 0xE8000020]
    .text peauth.sys 9C22BC9D 28 Bytes [5E, 2A, 2A, 4A, 9F, 2B, B8, ...]
    .text peauth.sys 9C22BCC1 28 Bytes [5E, 2A, 2A, 4A, 9F, 2B, B8, ...]
    PAGE peauth.sys 9C231E20 101 Bytes [66, 83, 8D, EC, D5, 98, 19, ...]
    PAGE peauth.sys 9C23202C 102 Bytes [01, F7, 55, F3, E7, 94, D4, ...]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [USER32.dll!LoadCursorW] 00A2C7B0
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [USER32.dll!LoadIconW] 00A2C810
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [USER32.dll!CreateDialogParamW] 00A2CA00
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] 00A2CAA0
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalLock] 00A2C1B0
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 00A2C170
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 00A299A0
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 00A29920
    IAT C:\Program Files\DAP\DAP.exe[3020] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GetVersion] 00A2C540
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C5250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C52494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C35624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C356E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C48573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C44D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C450CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C451A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73C466D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C482CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C48819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C4907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C4E21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[3460] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C44C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 86766841

    ---- Files - GMER 1.0.15 ----

    File C:\windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    ---

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:19 AM, on 1/10/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\windows\system32\taskhost.exe
    C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    C:\windows\system32\Dwm.exe
    C:\windows\system32\taskeng.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
    C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
    C:\Program Files\TOSHIBA\TECO\TEco.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\DAP\DAP.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\Users\Owner\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.5.2.11\IPSBHO.DLL
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
    O4 - HKLM\..\Run: [TPwrMain] "%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE "
    O4 - HKLM\..\Run: [SmoothView] "%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe "
    O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
    O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
    O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
    O13 - Gopher Prefix:
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    O16 - DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} (Livelink ActiveX Control) - http://genell.gene.com/support/webedit/lledit.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.5.2.11\coIEPlg.dll
    O20 - AppInit_DLLs: acaptuser32.dll C:\PROGRA~1\Google\GOOGLE~1\GO36F4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AMD External Events Utility - AMD - C:\windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
    O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
    O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
    O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

    --
    End of file - 9576 bytes
    Note: I still get redirrected when wsing my browser.

    Thanks for your help so far.
     
    gsmith7712,
    #5
  7. 2010/01/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
atapi.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #6
  8. 2010/01/11
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    SystemLook v1.0 by jpshortstuff (10.01.10)
    Log created at 16:45 on 11/01/2010 by Owner (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "atapi.sys "
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
    C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

    -=End Of File=-
     
    gsmith7712,
    #7
  9. 2010/01/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please download The Avenger to your Desktop.
    • Right click on the Avenger.zip folder and select "Extract All... "
    • Follow the prompts and extract the Avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Code:
    Begin copying here:
Files to move:
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c 35a3a5be81\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

    • Right click on the window under Input script here:, and select Paste.
    • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
    • Click on Execute
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:

    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete ", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command windowon your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply
     
    broni,
    #8
  10. 2010/01/11
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Error: could not open file "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c

    35a3a5be81\atapi.sys" for move operation
    File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c 35a3a5be81\atapi.sys|C:

    \WINDOWS\system32\drivers\atapi.sys" failed!
    Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
    --> bad path / the parent directory does not exist


    Completed script processing.

    *******************

    Finished! Terminate.
     
    gsmith7712,
    #9
  11. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Grrrr....my script was little bit off, because of BBS board glitch.
    Try again with this script:

    Code:
    Begin copying here:
Files to move:
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
     
    broni,
    #10
  12. 2010/01/12
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Logfile of The Avenger Version 2.0, (c) by Swandog46
    http://swandog46.geekstogo.com

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!

    File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
    gsmith7712,
    #11
  13. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)
    How is redirection issue?
     
    broni,
    #12
  14. 2010/01/12
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Sorry to say it is still redirecting.
     
    gsmith7712,
    #13
  15. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Kenco.exe to your desktop
    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
    broni,
    #14
  16. 2010/01/12
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    Kenco by jpshortstuff (31.12.09.1)
    Log created at 21:05 on 12/01/2010 (Owner)

    ========== Task Unlocker ==========

    ========== KencoScan ==========
    C:\windows\system32\shacct.dll -> Error setting security information [5]!

    ========== C:\windows\Tasks ==========
    DriverCure.job -> [19:05 31/12/2009] 380 bytes
    GoogleUpdateTaskUserS-1-5-21-884126427-3540133245-3834508182-1000Core.job -> [19:42 19/12/2009] 856 bytes
    GoogleUpdateTaskUserS-1-5-21-884126427-3540133245-3834508182-1000UA.job -> [19:42 19/12/2009] 908 bytes
    ParetoLogic Registration.job -> [19:05 31/12/2009] 442 bytes
    ParetoLogic Update Version2.job -> [19:05 31/12/2009] 416 bytes
    SpeedOptimizer Startup.job -> [21:05 02/01/2010] 234 bytes

    -=E.O.F=-
     
    gsmith7712,
    #15
  17. 2010/01/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, re-run GMER and post new log.
     
    broni,
    #16
  18. 2010/01/13
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-01-13 16:40:15
    Windows 6.1.7600
    Running: upl0gnxj.exe; Driver: C:\Users\Owner\AppData\Local\Temp\pgrcapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 86D8FE90 ZwAlertResumeThread
    SSDT 86DC2048 ZwAlertThread
    SSDT 86F40E78 ZwAllocateVirtualMemory
    SSDT 86CC3220 ZwAlpcConnectPort
    SSDT 86E637C8 ZwAssignProcessToJobObject
    SSDT 86F55C00 ZwCreateMutant
    SSDT 86F54C00 ZwCreateSymbolicLinkObject
    SSDT 86F19570 ZwCreateThread
    SSDT 86F53910 ZwCreateThreadEx
    SSDT 86DC9048 ZwDebugActiveProcess
    SSDT 86F3F168 ZwDuplicateObject
    SSDT 86F40898 ZwFreeVirtualMemory
    SSDT 86DE0048 ZwImpersonateAnonymousToken
    SSDT 86DD35E8 ZwImpersonateThread
    SSDT 86CBA310 ZwLoadDriver
    SSDT 86F40738 ZwMapViewOfSection
    SSDT 86DDB3B0 ZwOpenEvent
    SSDT 86F3F408 ZwOpenProcess
    SSDT 86D6ABD8 ZwOpenProcessToken
    SSDT 86E26270 ZwOpenSection
    SSDT 86F3F2B8 ZwOpenThread
    SSDT 86F53D80 ZwProtectVirtualMemory
    SSDT 86D6DEB0 ZwResumeThread
    SSDT 86D71840 ZwSetContextThread
    SSDT 86F41FC0 ZwSetInformationProcess
    SSDT 86D82420 ZwSetSystemInformation
    SSDT 86E20048 ZwSuspendProcess
    SSDT 86D7CAD0 ZwSuspendThread
    SSDT 86D53E40 ZwTerminateProcess
    SSDT 86D7C538 ZwTerminateThread
    SSDT 86D6C540 ZwUnmapViewOfSection
    SSDT 86F40BA8 ZwWriteVirtualMemory

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830223F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8300B2D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8300A898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830221DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830226F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83022F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830231A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83082579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830A6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 224 830AE724 8 Bytes [90, FE, D8, 86, 48, 20, DC, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 23C 830AE73C 4 Bytes [78, 0E, F4, 86]
    .text ntkrnlpa.exe!RtlSidHashLookup + 248 830AE748 4 Bytes [20, 32, CC, 86]
    .text ntkrnlpa.exe!RtlSidHashLookup + 29C 830AE79C 4 Bytes [C8, 37, E6, 86] {ENTER 0xe637, 0x86}
    .text ntkrnlpa.exe!RtlSidHashLookup + 318 830AE818 4 Bytes [00, 5C, F5, 86] {ADD [EBP+ESI*8-0x7a], BL}
    .text ...
    .text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AF49000, 0x3C849, 0xE8000020]
    .dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AF8E000, 0x3DC, 0x48000040]
    .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x81E3D000, 0x2D5526, 0xE8000020]
    .text peauth.sys A1558C9D 28 Bytes [9E, 76, 66, D2, E4, DD, 1F, ...]
    .text peauth.sys A1558CC1 28 Bytes [9E, 76, 66, D2, E4, DD, 1F, ...]
    PAGE peauth.sys A155EB9B 72 Bytes [4E, 3A, 86, A1, B7, AD, AB, ...]
    PAGE peauth.sys A155EBEC 89 Bytes [27, EB, 69, 8B, E0, E7, 3C, ...]
    PAGE peauth.sys A155EC46 21 Bytes [4D, 68, 30, 87, 3E, 70, A5, ...]
    PAGE ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[4252] ntdll.dll!wcsncmp + 33B 76DEF580 7 Bytes JMP 01B2003A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [USER32.dll!LoadCursorW] 017FC7B0
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [USER32.dll!LoadIconW] 017FC810
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [USER32.dll!CreateDialogParamW] 017FCA00
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] 017FCAA0
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalLock] 017FC1B0
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 017FC170
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 017F99A0
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 017F9920
    IAT C:\Program Files\DAP\DAP.exe[2576] @ C:\windows\system32\ole32.dll [KERNEL32.dll!GetVersion] 017FC540
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C0250F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C02494] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BE5624] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BE56E2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BF8573] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BF4D27] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BF50CE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BF51A3] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73BF66D0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BF82CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BF8819] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BF907A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BFE21D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\windows\Explorer.EXE[2860] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73BF4C59] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 86769841

    ---- Files - GMER 1.0.15 ----

    File C:\windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
    gsmith7712,
    #17
  19. 2010/01/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE. If Combofix asks you to install Recovery Console, please allow it.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #18
  20. 2010/01/13
    gsmith7712

    gsmith7712 Inactive Thread Starter

    Joined:
    2010/01/08
    Messages:
    25
    Likes Received:
    0
    ComboFix 10-01-13.07 - Owner 01/13/2010 17:04:57.1.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2812.1745 [GMT -8:00]
    Running from: c:\users\Owner\Desktop\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Fonts\ZWAdobeF.TTF
    c:\windows\system32\11478.exe
    c:\windows\system32\15724.exe
    c:\windows\system32\18467.exe
    c:\windows\system32\19169.exe
    c:\windows\system32\24464.exe
    c:\windows\system32\26500.exe
    c:\windows\system32\26962.exe
    c:\windows\system32\29358.exe
    c:\windows\system32\41.exe
    c:\windows\system32\6334.exe
    c:\windows\system32\helper32.dll
    c:\windows\system32\smss32.exe
    c:\windows\system32\Thumbs.db
    c:\windows\system32\warning.html
    c:\windows\system32\winlogon32.exe

    c:\windows\system32\wuauclt.exe . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
    .

    2010-01-14 01:18 . 2010-01-14 01:18 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-01-13 22:14 . 2010-01-13 22:14 -------- d-----w- c:\program files\InternetSecurity2010
    2010-01-13 13:52 . 2009-12-18 11:36 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\NAVENG.SYS
    2010-01-13 13:52 . 2009-12-18 11:36 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\EECTRL.SYS
    2010-01-13 13:52 . 2009-12-18 11:36 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\CCERASER.DLL
    2010-01-13 13:52 . 2009-12-18 11:36 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\ECMSVR32.DLL
    2010-01-13 13:52 . 2009-12-18 11:36 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\NAVENG32.DLL
    2010-01-13 13:52 . 2009-12-18 11:36 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\NAVEX32A.DLL
    2010-01-13 13:52 . 2009-12-18 11:36 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\NAVEX15.SYS
    2010-01-13 13:52 . 2009-12-18 11:36 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100112.053\ERASER.SYS
    2010-01-13 05:39 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
    2010-01-13 05:39 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
    2010-01-09 21:04 . 2010-01-09 21:04 5115823 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-09 20:24 . 2010-01-09 20:24 52224 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-09 20:24 . 2010-01-09 20:24 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-09 20:23 . 2010-01-09 20:23 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-01-09 20:23 . 2010-01-09 20:23 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-09 20:23 . 2010-01-09 20:23 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
    2010-01-09 20:22 . 2010-01-09 20:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-09 02:55 . 2010-01-09 02:55 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
    2010-01-09 02:55 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-09 02:55 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-09 02:55 . 2010-01-09 02:55 -------- d-----w- c:\programdata\Malwarebytes
    2010-01-09 02:55 . 2010-01-09 21:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-09 01:27 . 2010-01-09 01:27 -------- d-----w- c:\users\Owner\AppData\Roaming\Uniblue
    2010-01-09 00:38 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSXpx86.sys
    2010-01-09 00:38 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\Scxpx86.dll
    2010-01-09 00:38 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSxpx86.dll
    2010-01-09 00:38 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSvix86.sys
    2010-01-09 00:38 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSviA64.sys
    2010-01-09 00:37 . 2010-01-09 00:38 -------- d-----w- c:\users\Owner\dwhelper
    2010-01-09 00:23 . 2010-01-09 00:23 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2010-01-09 00:23 . 2010-01-09 00:23 3605256 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2010-01-09 00:22 . 2010-01-09 00:22 546624 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-01-08 08:09 . 2009-12-18 11:36 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\NAVENG.SYS
    2010-01-08 08:09 . 2009-12-18 11:36 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\EECTRL.SYS
    2010-01-08 08:09 . 2009-12-18 11:36 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\CCERASER.DLL
    2010-01-08 08:09 . 2009-12-18 11:36 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\ECMSVR32.DLL
    2010-01-08 08:09 . 2009-12-18 11:36 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\NAVENG32.DLL
    2010-01-08 08:09 . 2009-12-18 11:36 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\NAVEX32A.DLL
    2010-01-08 08:09 . 2009-12-18 11:36 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\NAVEX15.SYS
    2010-01-08 08:09 . 2009-12-18 11:36 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100107.049\ERASER.SYS
    2010-01-05 01:04 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSXpx86.sys
    2010-01-05 01:04 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\Scxpx86.dll
    2010-01-05 01:04 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSxpx86.dll
    2010-01-05 01:04 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSvix86.sys
    2010-01-05 01:04 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091230.004\IDSviA64.sys
    2010-01-03 19:27 . 2010-01-03 19:27 -------- d-----r- c:\program files\Norton Support
    2010-01-02 23:21 . 2009-09-01 02:29 2965536 ----a-w- c:\windows\system32\RtkAPO.dll
    2010-01-02 23:21 . 2009-09-01 02:29 1292832 ----a-w- c:\windows\system32\RtkPgExt.dll
    2010-01-02 23:21 . 2009-09-01 02:29 53280 ----a-w- c:\windows\system32\RtkCoInst.dll
    2010-01-02 23:21 . 2009-09-01 02:29 338464 ----a-w- c:\windows\system32\RtkApoApi.dll
    2010-01-02 23:21 . 2009-09-01 02:18 2760224 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
    2010-01-02 23:21 . 2009-07-03 03:28 73216 ----a-w- c:\windows\system32\RTEEL32A.dll
    2010-01-02 23:21 . 2009-07-03 03:28 59392 ----a-w- c:\windows\system32\RTEEG32A.dll
    2010-01-02 23:21 . 2009-07-03 03:28 347648 ----a-w- c:\windows\system32\RTEEP32A.dll
    2010-01-02 23:21 . 2009-07-03 03:28 164864 ----a-w- c:\windows\system32\RTEED32A.dll
    2010-01-02 23:21 . 2009-08-21 03:47 266752 ----a-w- c:\windows\system32\FMAPO.dll
    2010-01-01 08:33 . 2010-01-01 08:33 125952 ----a-w- c:\programdata\ParetoLogic\UUS2\Temp\Update.exe
    2009-12-31 19:15 . 2009-08-21 08:04 189440 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
    2009-12-31 19:15 . 2009-03-05 22:54 73728 ----a-w- c:\windows\system32\RtNicProp32.dll
    2009-12-31 19:05 . 2009-12-31 19:06 -------- d-----w- c:\users\Owner\AppData\Roaming\DriverCure
    2009-12-31 19:05 . 2010-01-05 01:48 -------- d-----w- c:\programdata\DriverCure
    2009-12-31 19:05 . 2009-12-31 19:05 -------- d-----w- c:\programdata\ParetoLogic
    2009-12-31 19:05 . 2009-12-31 19:05 -------- d-----w- c:\program files\ParetoLogic
    2009-12-31 19:05 . 2009-12-31 19:05 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2009-12-30 22:11 . 2009-12-30 22:11 -------- d-----w- c:\program files\Common Files\xing shared
    2009-12-30 22:10 . 2009-12-30 22:11 -------- d-----w- c:\program files\Common Files\Real
    2009-12-30 22:10 . 2009-12-30 22:10 -------- d-----w- c:\program files\Real
    2009-12-30 03:41 . 2009-12-30 03:41 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2009-12-30 03:40 . 2009-12-30 21:02 -------- d-----w- c:\users\Owner\AppData\Local\Microsoft Help
    2009-12-30 01:43 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
    2009-12-30 01:43 . 2009-08-20 07:50 46928 ----a-r- c:\windows\system32\AdobePDF.dll
    2009-12-30 01:12 . 2009-02-27 20:55 111992 ----a-w- c:\windows\system32\acaptuser32.dll
    2009-12-30 01:03 . 2009-12-30 01:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2009-12-30 00:44 . 2009-12-30 00:44 944797 ----a-w- c:\users\Owner\Microsoft office 7.exe
    2009-12-30 00:35 . 2009-12-30 01:53 -------- d-----w- c:\users\Owner\Adobe_GS
    2009-12-29 02:06 . 2009-12-29 02:06 -------- d-----w- c:\program files\Belarc
    2009-12-29 00:56 . 2009-12-29 00:56 144160 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\uninstall.exe
    2009-12-29 00:56 . 2009-12-30 01:49 -------- d-----w- c:\users\Owner\AppData\Roaming\Move Networks
    2009-12-28 00:10 . 2009-12-31 17:06 -------- d-----w- c:\users\Owner\AppData\Local\Deployment
    2009-12-28 00:10 . 2009-12-28 00:10 -------- d-----w- c:\users\Owner\AppData\Local\Apps
    2009-12-26 23:30 . 2009-12-26 23:30 -------- d-----w- c:\users\Owner\AppData\Roaming\Media Player Classic
    2009-12-26 22:57 . 2009-12-26 22:57 -------- d-----w- c:\windows\system32\N360_BACKUP
    2009-12-26 22:44 . 2009-12-26 22:44 -------- d-sh--w- c:\windows\BitLockerDiscoveryVolumeContents
    2009-12-26 22:44 . 2009-12-26 22:44 -------- d-----w- c:\windows\RemotePackages
    2009-12-26 22:13 . 2009-12-26 22:13 -------- d-----w- c:\users\Owner\AppData\Local\Microsoft Corporation
    2009-12-26 22:12 . 2009-12-26 22:12 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
    2009-12-26 21:18 . 2009-12-27 18:56 -------- d-----w- c:\programdata\FLEXnet
    2009-12-26 20:38 . 2009-12-26 20:38 95744 ----a-w- c:\programdata\SpeedBit\DAP\SDCondition.dll
    2009-12-26 20:24 . 2009-12-26 20:24 -------- d-----w- c:\program files\Keygen
    2009-12-26 20:17 . 2010-01-08 19:38 -------- d-----w- c:\programdata\SpeedBit
    2009-12-26 20:17 . 2009-12-26 20:17 50688 ----a-w- c:\windows\system32\wbhelp2.dll
    2009-12-26 20:17 . 2009-12-26 20:18 -------- d-----w- c:\program files\DAP
    2009-12-26 18:21 . 2010-01-03 21:48 -------- d-----w- c:\users\Owner\AppData\Local\ElevatedDiagnostics
    2009-12-26 18:12 . 2010-01-03 21:48 -------- d-----w- c:\users\Owner\AppData\Local\Diagnostics
    2009-12-24 15:48 . 2009-12-24 15:50 -------- d-----w- c:\users\Owner\AppData\Roaming\vlc
    2009-12-24 03:35 . 2009-12-24 03:35 -------- d-----w- c:\program files\VideoLAN
    2009-12-24 01:36 . 2009-12-24 01:36 -------- d-----w- c:\users\Owner\AppData\Roaming\AVS4YOU
    2009-12-24 01:36 . 2009-12-24 01:36 -------- d-----w- c:\programdata\AVS4YOU
    2009-12-24 01:35 . 2009-12-24 01:36 -------- d-----w- c:\program files\Common Files\AVSMedia
    2009-12-24 01:35 . 2008-08-13 18:22 974848 ----a-w- c:\windows\system32\mfc70.dll
    2009-12-24 01:35 . 2008-08-13 18:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
    2009-12-24 01:35 . 2008-08-13 18:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
    2009-12-24 01:35 . 2009-12-24 01:36 -------- d-----w- c:\program files\AVS4YOU
    2009-12-24 01:35 . 2008-08-13 18:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
    2009-12-24 01:35 . 2008-08-13 18:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
    2009-12-24 01:25 . 2009-08-16 15:08 178176 ----a-w- c:\windows\system32\unrar.dll
    2009-12-24 01:25 . 2004-01-25 16:18 217088 ----a-w- c:\windows\system32\yv12vfw.dll
    2009-12-24 01:25 . 2009-05-29 21:37 205824 ----a-w- c:\windows\system32\xvidvfw.dll
    2009-12-24 01:25 . 2009-05-29 21:31 881664 ----a-w- c:\windows\system32\xvidcore.dll
    2009-12-24 01:24 . 2009-07-14 00:15 90112 ----a-w- c:\windows\system32\dpl100.dll
    2009-12-24 01:24 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
    2009-12-24 01:24 . 2009-07-14 00:15 685056 ----a-w- c:\windows\system32\divx.dll
    2009-12-24 01:24 . 2009-12-11 18:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-12-24 01:24 . 2009-12-24 01:27 -------- d-----w- c:\program files\K-Lite Codec Pack
    2009-12-20 18:03 . 2009-12-24 03:07 -------- d-----w- c:\program files\Free Offers from Freeze.com
    2009-12-20 08:26 . 2010-01-03 18:47 -------- d-----w- c:\program files\7-Zip
    2009-12-20 01:12 . 2009-12-20 01:12 -------- d-----w- c:\program files\Audible
    2009-12-20 00:55 . 2009-12-29 03:46 -------- d-----w- c:\users\Owner\AppData\Local\Apple Computer
    2009-12-20 00:55 . 2009-12-20 00:57 -------- d-----w- c:\users\Owner\AppData\Roaming\Apple Computer
    2009-12-20 00:55 . 2009-12-20 00:55 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-12-20 00:55 . 2009-12-20 00:55 -------- d-----w- c:\program files\iTunes
    2009-12-20 00:55 . 2009-12-20 00:55 -------- d-----w- c:\program files\iPod
    2009-12-20 00:54 . 2009-12-20 00:54 -------- d-----w- c:\program files\Bonjour

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-13 09:42 . 2009-07-13 23:11 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-01-09 19:52 . 2009-09-22 08:46 -------- d-----w- c:\programdata\Microsoft Help
    2010-01-09 13:05 . 2009-11-19 21:40 111792 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-01-03 19:28 . 2009-12-18 23:56 -------- d-----w- c:\program files\Symantec
    2010-01-03 18:47 . 2009-09-02 05:47 -------- d-----w- c:\programdata\Partner
    2010-01-03 18:47 . 2009-09-02 05:47 -------- d-----w- c:\program files\Google
    2009-12-31 19:15 . 2009-09-22 09:11 -------- d-----w- c:\program files\Realtek
    2009-12-30 22:11 . 2003-03-19 05:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2009-12-30 22:11 . 2003-02-21 13:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2009-12-30 17:35 . 2009-09-02 05:30 -------- d-----w- c:\program files\TOSHIBA
    2009-12-30 03:45 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
    2009-12-30 01:42 . 2009-09-02 05:33 -------- d-----w- c:\program files\Common Files\Adobe
    2009-12-29 00:56 . 2009-12-10 19:26 4187512 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
    2009-12-22 01:03 . 2009-09-02 05:46 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-12-19 00:24 . 2009-12-18 23:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2009-12-18 23:56 . 2009-12-18 23:56 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
    2009-12-18 23:56 . 2009-12-18 23:56 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
    2009-12-18 23:56 . 2009-12-18 23:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2009-12-18 23:56 . 2009-12-18 23:56 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-12-18 23:56 . 2009-12-18 23:56 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
    2009-12-18 23:56 . 2009-12-18 23:56 1291104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
    2009-12-18 23:56 . 2009-12-18 23:56 136840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
    2009-12-18 23:56 . 2009-12-18 23:56 165240 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
    2009-12-18 23:56 . 2009-12-18 23:56 107368 ----a-r- c:\windows\system32\GEARAspi.dll
    2009-12-18 23:56 . 2009-12-18 23:56 771440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
    2009-12-18 23:56 . 2009-12-18 23:56 -------- d-----w- c:\program files\Norton 360
    2009-12-18 23:56 . 2009-09-22 09:21 -------- d-----w- c:\programdata\Norton
    2009-12-18 23:55 . 2009-09-22 09:21 -------- d-----w- c:\programdata\NortonInstaller
    2009-12-18 20:48 . 2009-12-18 20:47 -------- d-----w- c:\program files\Juniper Networks
    2009-12-18 20:47 . 2009-12-18 20:47 161632 ----a-w- c:\users\Owner\AppData\Roaming\Juniper Networks\Setup Client\x86_Microsoft.VC80.CRTP_8.0.50727.762.exe
    2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\users\Owner\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
    2009-11-19 22:06 . 2009-11-19 22:06 -------- d-----w- c:\programdata\Geek Squad
    2009-11-19 22:05 . 2009-11-19 22:05 -------- d-----w- c:\program files\MSSOAP
    2009-11-19 22:05 . 2009-11-19 22:05 -------- d-----w- c:\program files\Webroot
    2009-11-19 21:40 . 2009-11-19 21:40 -------- d-----w- c:\users\Owner\AppData\Roaming\ATI
    2009-11-19 21:39 . 2009-11-19 21:39 13 --sh--r- c:\windows\system32\drivers\fbd.sys
    2009-11-19 21:39 . 2009-09-02 05:30 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-11-19 21:38 . 2009-11-19 21:38 -------- d-----w- c:\users\Owner\AppData\Roaming\WinBatch
    2009-11-13 01:07 . 2009-11-13 01:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
    2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
    2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
    2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
    2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
    2009-12-31 18:31 . 2009-12-31 18:31 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DriverCure "= "c:\program files\ParetoLogic\DriverCure\DriverCure.exe" [2009-08-07 3993368]
    "DownloadAccelerator "= "c:\program files\DAP\DAP.EXE" [2009-12-26 2811392]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl "= "c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-01 7731744]
    "TPwrMain "= "c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-21 476512]
    "SmoothView "= "c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
    "Teco "= "c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-11 1324384]
    "TosSENotify "= "c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-31 30192]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-08 429392]
    "Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-08 1394000]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Internet Security 2010 "= "c:\program files\InternetSecurity2010\IS2010.exe" [2010-01-13 1231872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 5 (0x5)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop "= 1 (0x1)
    "NoActiveDesktopChanges "= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\System32\acaptuser32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
    @= "FSFilter Activity Monitor "

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
    backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
    backupExtension=.CommonStartup
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00TCrdMain]
    2009-08-05 21:04 738616 ----a-w- c:\program files\TOSHIBA\FlashCards\TCrdMain.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
    2009-10-03 07:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
    2009-10-03 12:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2009-09-04 20:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonOnlineBackupReminder]
    2009-07-16 19:04 529256 ----a-w- c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2009-07-30 05:32 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
    2009-07-21 00:46 1545512 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-12-30 22:11 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToshibaServiceStation]
    2009-08-17 17:48 1294136 ----a-w- c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosSENotify]
    2009-09-17 23:37 611672 ----a-w- c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosWaitSrv]
    2009-08-07 00:05 611672 ----a-w- c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WinDefend "=2 (0x2)

    R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\N360\0305020.00B\SymEFA.sys [12/18/2009 3:56 PM 310320]
    R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\N360\0305020.00B\BHDrvx86.sys [12/18/2009 3:56 PM 259632]
    R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\N360\0305020.00B\cchpx86.sys [12/18/2009 3:56 PM 482432]
    R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSvix86.sys [1/8/2010 4:38 PM 343088]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\System32\drivers\vwififlt.sys [7/13/2009 3:52 PM 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [9/22/2009 1:02 AM 176128]
    R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [8/10/2009 6:55 PM 185712]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [3/10/2009 5:51 PM 46448]
    R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [12/18/2009 3:56 PM 117640]
    R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [8/11/2009 3:09 PM 185712]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\System32\drivers\TVALZFL.sys [6/19/2009 6:31 PM 12920]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/18/2009 4:13 PM 102448]
    R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [9/22/2009 1:15 AM 7680]
    R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [1/8/2010 6:55 PM 19160]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [12/31/2009 11:15 AM 189440]
    R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\N360\0305020.00B\symndisv.sys [12/18/2009 3:56 PM 48688]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [9/17/2009 3:37 PM 111960]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/9/2010 1:04 PM 236368]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/31/2009 10:31 AM 30192]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
    S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [9/22/2009 1:17 AM 51512]
    S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [8/6/2009 4:04 PM 685424]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
    2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-13 c:\windows\Tasks\DriverCure.job
    - c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]

    2010-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-884126427-3540133245-3834508182-1000Core.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-19 19:42]

    2010-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-884126427-3540133245-3834508182-1000UA.job
    - c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-19 19:42]

    2010-01-13 c:\windows\Tasks\ParetoLogic Registration.job
    - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

    2010-01-09 c:\windows\Tasks\ParetoLogic Update Version2.job
    - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
    IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxp://genell.gene.com/support/webedit/lledit.cab
    FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ecaq50ry.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
    FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: c:\users\Owner\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071505000011.dll
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    HKLM-Run-smss32.exe - c:\windows\system32\smss32.exe



    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86769841]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    user & kernel MBR OK

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
    "ImagePath "= "\ "c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \ "N360\" /m \ "c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1 "
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\atieclxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Juniper Networks\Common Files\dsNcService.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\windows\system32\TODDSrv.exe
    c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\taskhost.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\system32\conhost.exe
    c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\sppsvc.exe
    c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-13 17:26:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-14 01:26

    Pre-Run: 269,098,086,400 bytes free
    Post-Run: 269,051,576,320 bytes free

    - - End Of File - - 8CDD626E56F44AEAE0285395EF484F43
     
    gsmith7712,
    #19
  21. 2010/01/13
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :file
wuauclt.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...