Solved Google redirect

natasha · 2011/01/03

here is the MBR report

I can't seem to copy the MBR report

natasha · 2011/01/03

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000c`34f34a00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: FF31561710A96F68B2156907C84EE274F4A4376C

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 3

Done!
Press ENTER to exit...

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 135):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7A88000 \WINDOWS\system32\KDCOM.DLL
0xF7998000 \WINDOWS\system32\BOOTVID.dll
0xF7459000 ACPI.sys
0xF7A8A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7448000 pci.sys
0xF7588000 isapnp.sys
0xF799C000 compbatt.sys
0xF79A0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B50000 pciide.sys
0xF7808000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7598000 MountMgr.sys
0xF7429000 ftdisk.sys
0xF7A8C000 dmload.sys
0xF7403000 dmio.sys
0xF79A4000 ACPIEC.sys
0xF7B51000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7810000 PartMgr.sys
0xF75A8000 VolSnap.sys
0xF73EB000 atapi.sys
0xF75B8000 disk.sys
0xF75C8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73CB000 fltmgr.sys
0xF73B9000 sr.sys
0xF73A2000 KSecDD.sys
0xF7315000 Ntfs.sys
0xF72E8000 NDIS.sys
0xF72CE000 Mup.sys
0xF76E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF66FE000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF66EA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

natasha · 2011/01/03

DDS log 1
DDS (Ver_10-12-12.02) - NTFSx86
Run by user at 10:30:20.10 on Mon 01/03/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.239 [GMT -6:00]

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Local Settings\Temp\McInstallTemp (2)\Install.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Documents and Settings\user\Local Settings\Temp\McInstallTemp (2)\SelfProtect\Win32\aploader.exe
C:\WINDOWS\system32\rundll32.exe
C:\avira_antivir_personal_en.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\presetup.exe
C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\setup.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avconfig.exe
c:\program files\avira\antivir desktop\avcenter.exe
c:\program files\avira\antivir desktop\avscan.exe
C:\Documents and Settings\user\Desktop\spy ware programs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uWindow Title =
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSS] "c:\documents and settings\all users\application data\c1a53ea\MSc1a5_289.exe" /s
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HPCam_Menu] "c:\program files\hewlett-packard\hp webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\hp webcam" updatewithcreateonce "software\cyberlink\hp webcam\1.0 "
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/62.14/uploader2.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 nwprovau
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.secure-plus-payments.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\denmoxky.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: PrivacyChoice Opt-out: addon@privacychoice.org - %profile%\extensions\addon@privacychoice.org
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-3 11608]
R1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-3 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-3 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-3 61960]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-3 141792]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-2-15 113536]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-2-15 209464]
S2 McShield;McAfee McShield; "c:\program files\mcafee\virusscan enterprise\mcshield.exe" --> c:\program files\mcafee\virusscan enterprise\Mcshield.exe [?]
S2 McTaskManager;McAfee Task Manager; "c:\program files\mcafee\virusscan enterprise\vstskmgr.exe" --> c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [?]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [2010-5-9 29184]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a2.tmp --> c:\windows\system32\A2.tmp [?]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys --> c:\windows\system32\drivers\mfeavfk.sys [?]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys --> c:\windows\system32\drivers\mfebopk.sys [?]

=============== Created Last 30 ================

2011-01-03 16:11:13 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 16:11:12 -------- d-----w- c:\program files\Avira
2011-01-03 16:11:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-01-03 15:33:40 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-03 15:33:17 59325912 ----a-w- C:\avira_antivir_personal_en.exe
2011-01-03 13:44:30 -------- d-----w- c:\windows\system32\KB905474
2011-01-03 05:31:45 141792 ----a-w- c:\windows\system32\mfevtps.exe.7e75.deleteme
2011-01-03 05:31:01 3137976 ----a-w- C:\DMSetup.exe
2011-01-02 17:01:54 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-01-02 17:00:12 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-02 16:59:48 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2011-01-02 16:59:29 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-01-02 16:59:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-01-02 16:59:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-02 16:59:02 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-01-02 16:57:24 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-02 16:57:23 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-02 16:57:23 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-01-02 16:57:23 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-02 16:57:06 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-02 16:56:10 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-02 16:52:32 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-01-02 16:52:14 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-01-02 16:51:32 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-01-02 16:48:38 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2011-01-02 16:48:30 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-01-02 16:48:30 337408 ----a-w- c:\windows\system32\SETC4.tmp
2011-01-02 16:45:40 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-01-02 16:45:37 512000 ----a-w- c:\windows\system32\SETA5.tmp
2011-01-02 16:42:29 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-02 16:41:57 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-01-02 16:41:57 590848 ----a-w- c:\windows\system32\SET81.tmp
2011-01-02 16:41:57 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-01-02 16:40:55 -------- d-----w- c:\windows\system32\PreInstall
2011-01-02 01:12:12 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-01-02 01:12:12 974848 ----a-w- c:\windows\system32\SET2E8.tmp
2011-01-02 01:12:12 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-02 01:11:50 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-01-02 01:11:50 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-01-02 00:55:05 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-01-01 23:33:59 -------- d-----w- c:\docume~1\user\locals~1\applic~1\PackageAware
2011-01-01 23:27:50 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-01-01 23:27:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-01 23:27:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-01 23:09:31 -------- d-----w- c:\windows\system32\drivers\etc\New Folder
2011-01-01 18:34:17 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-01 18:34:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-01-01 18:10:22 1446264 ----a-w- c:\program files\mozilla firefox\plugins\npLegitCheckPlugin.dll
2011-01-01 05:01:59 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-01 05:01:59 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-24 22:34:36 -------- d-----w- c:\program files\100% Free Toolbar
2010-12-24 22:34:31 -------- d-----w- c:\program files\DreamQuest

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 10:31:18.18 ===============

natasha · 2011/01/03

dds LOG 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/14/2010 8:04:27 AM
System Uptime: 1/3/2011 5:19:50 AM (5 hours ago)

Motherboard: Hewlett-Packard | | 308A
Processor: Intel(R) Core(TM)2 Duo CPU T5870 @ 2.00GHz | U10 | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 49 GiB total, 28.018 GiB free.
D: is FIXED (NTFS) - 74 GiB total, 72.812 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP149: 10/6/2010 1:54:25 PM - System Checkpoint
RP150: 10/7/2010 4:48:15 PM - System Checkpoint
RP151: 10/8/2010 5:10:51 PM - System Checkpoint
RP152: 10/9/2010 8:12:32 PM - System Checkpoint
RP153: 10/11/2010 2:33:55 PM - System Checkpoint
RP154: 10/12/2010 2:44:11 PM - System Checkpoint
RP155: 10/14/2010 2:00:41 PM - System Checkpoint
RP156: 10/15/2010 3:40:05 PM - System Checkpoint
RP157: 10/17/2010 3:53:52 PM - System Checkpoint
RP158: 10/18/2010 4:13:55 PM - System Checkpoint
RP159: 10/19/2010 4:51:31 PM - System Checkpoint
RP160: 10/20/2010 6:33:04 PM - System Checkpoint
RP161: 10/22/2010 6:55:57 PM - System Checkpoint
RP162: 10/25/2010 12:25:04 PM - System Checkpoint
RP163: 10/26/2010 1:05:40 PM - System Checkpoint
RP164: 10/27/2010 3:36:10 PM - System Checkpoint
RP165: 10/29/2010 4:16:39 PM - System Checkpoint
RP166: 10/29/2010 7:54:23 PM - Restore Operation
RP167: 10/30/2010 8:29:58 PM - System Checkpoint
RP168: 10/31/2010 9:54:13 PM - System Checkpoint
RP169: 11/2/2010 1:01:12 PM - System Checkpoint
RP170: 11/4/2010 1:00:57 PM - System Checkpoint
RP171: 11/6/2010 1:50:47 PM - System Checkpoint
RP172: 11/7/2010 5:35:23 PM - System Checkpoint
RP173: 11/11/2010 1:48:41 PM - System Checkpoint
RP174: 11/13/2010 11:53:37 AM - System Checkpoint
RP175: 11/14/2010 6:33:23 PM - System Checkpoint
RP176: 11/15/2010 7:08:04 PM - System Checkpoint
RP177: 11/16/2010 7:28:05 PM - System Checkpoint
RP178: 11/18/2010 2:12:02 PM - System Checkpoint
RP179: 11/19/2010 2:26:31 PM - System Checkpoint
RP180: 11/20/2010 2:32:44 PM - System Checkpoint
RP181: 11/22/2010 2:35:12 PM - System Checkpoint
RP182: 11/23/2010 5:28:19 PM - System Checkpoint
RP183: 11/25/2010 6:07:32 PM - System Checkpoint
RP184: 11/28/2010 10:41:54 AM - System Checkpoint
RP185: 11/29/2010 8:37:42 PM - System Checkpoint
RP186: 11/30/2010 8:56:47 PM - System Checkpoint
RP187: 12/1/2010 9:18:26 PM - System Checkpoint
RP188: 12/3/2010 11:23:06 PM - System Checkpoint
RP189: 12/5/2010 2:20:40 PM - System Checkpoint
RP190: 12/6/2010 6:49:28 PM - System Checkpoint
RP191: 12/8/2010 5:01:44 PM - System Checkpoint
RP192: 12/9/2010 8:10:04 PM - System Checkpoint
RP193: 12/11/2010 9:32:46 AM - System Checkpoint
RP194: 12/12/2010 6:10:05 PM - System Checkpoint
RP195: 12/15/2010 7:07:54 PM - System Checkpoint
RP196: 12/16/2010 9:58:54 PM - System Checkpoint
RP197: 12/18/2010 5:24:57 PM - System Checkpoint
RP198: 12/19/2010 6:07:46 PM - System Checkpoint
RP199: 12/20/2010 6:15:53 PM - System Checkpoint
RP200: 12/22/2010 8:41:25 PM - System Checkpoint
RP201: 12/24/2010 12:12:55 PM - System Checkpoint
RP202: 12/26/2010 8:59:26 PM - System Checkpoint
RP203: 12/30/2010 7:22:52 PM - System Checkpoint
RP204: 12/31/2010 9:46:35 PM - System Checkpoint
RP205: 12/31/2010 10:59:28 PM - Restore Operation
RP206: 1/2/2011 10:40:36 AM - Software Distribution Service 3.0
RP207: 1/2/2011 10:53:48 PM - Removed McAfee VirusScan Enterprise
RP208: 1/2/2011 10:54:19 PM - Removed McAfee VirusScan Enterprise
RP209: 1/3/2011 7:37:09 AM - Software Distribution Service 3.0

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 78.46.178.164 www.google.com
Hosts: 78.46.178.164 google.com
Hosts: 78.46.178.164 google.com.au
Hosts: 78.46.178.164 www.google.com.au
Hosts: 78.46.178.164 google.be
Hosts: 78.46.178.164 www.google.be
Hosts: 78.46.178.164 google.com.br
Hosts: 78.46.178.164 www.google.com.br
Hosts: 78.46.178.164 google.ca
Hosts: 78.46.178.164 www.google.ca
Hosts: 78.46.178.164 google.ch
Hosts: 78.46.178.164 www.google.ch
Hosts: 78.46.178.164 google.de
Hosts: 78.46.178.164 www.google.de
Hosts: 78.46.178.164 google.dk
Hosts: 78.46.178.164 www.google.dk
Hosts: 78.46.178.164 google.fr
Hosts: 78.46.178.164 www.google.fr
Hosts: 78.46.178.164 google.ie
Hosts: 78.46.178.164 www.google.ie
Hosts: 78.46.178.164 google.it
Hosts: 78.46.178.164 www.google.it
Hosts: 78.46.178.164 google.co.jp
Hosts: 78.46.178.164 www.google.co.jp
Hosts: 78.46.178.164 google.nl
Hosts: 78.46.178.164 www.google.nl
Hosts: 78.46.178.164 google.no
Hosts: 78.46.178.164 www.google.no
Hosts: 78.46.178.164 google.co.nz
Hosts: 78.46.178.164 www.google.co.nz
Hosts: 78.46.178.164 google.pl
Hosts: 78.46.178.164 www.google.pl
Hosts: 78.46.178.164 google.se
Hosts: 78.46.178.164 www.google.se
Hosts: 78.46.178.164 google.co.uk
Hosts: 78.46.178.164 www.google.co.uk
Hosts: 78.46.178.164 google.co.za
Hosts: 78.46.178.164 www.google.co.za
Hosts: 78.46.178.164 www.google-analytics.com
Hosts: 78.46.178.164 www.bing.com
Hosts: 78.46.178.164 search.yahoo.com
Hosts: 78.46.178.164 www.search.yahoo.com
Hosts: 78.46.178.164 uk.search.yahoo.com
Hosts: 78.46.178.164 ca.search.yahoo.com
Hosts: 78.46.178.164 de.search.yahoo.com
Hosts: 78.46.178.164 fr.search.yahoo.com
Hosts: 78.46.178.164 au.search.yahoo.com
Hosts: 78.46.178.164 www.youtube.com
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.getavplusnow.com

==== Installed Programs ======================

7-Zip 4.65
Action Replay Code Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Agere Systems HDA Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Broadband Internet
DivX Setup
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
HP Common Access Service Library
HP Integrated Module with Bluetooth wireless technology
HP Quick Launch Buttons 6.50 A1
HP Webcam
IDT Audio
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Picasa 3
QuickTime
Real Alternative 2.0.2
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Skype Toolbars
Skype™ 4.2
Spybot - Search & Destroy
Update for Windows XP (KB2467659)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.4053
VideoLAN VLC media player 0.8.5
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Internet Explorer 7
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

12/31/2010 12:08:02 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.
12/31/2010 12:08:02 PM, error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/31/2010 12:07:59 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service hpqwmiex with arguments " " in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
12/31/2010 11:27:11 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\pchealth\helpctr\binaries\helphost.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
12/31/2010 1:05:35 PM, error: Dhcp [1002] - The IP address lease 192.168.3.101 for the Network Card with network address 002655B02641 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/3/2011 10:08:45 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
1/3/2011 10:08:45 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
1/3/2011 10:08:45 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
1/2/2011 7:14:17 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:17 PM, error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:17 PM, error: Service Control Manager [7034] - The Com4QLBEx service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:16 PM, error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:16 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:16 PM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/2/2011 7:14:12 PM, error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:12 PM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 7:14:12 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/2/2011 7:14:08 PM, error: Service Control Manager [7034] - The Audio Service service terminated unexpectedly. It has done this 1 time(s).
1/2/2011 11:26:22 PM, error: Dhcp [1002] - The IP address lease 192.168.3.100 for the Network Card with network address 002655B02641 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/2/2011 10:51:14 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/1/2011 6:02:38 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

==== End Of File ===========================

natasha · 2011/01/03

Dear Broni
I hope you have all that was requested.
I await for your further instructions.
thank you

broni · 2011/01/03

Download Bootkit Remover to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/

After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.

natasha · 2011/01/03

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (bui

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 245ac23fc87dbad3a9928f6e7342606c

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;
Press any key to quit...

broni · 2011/01/03

We'll need to fix your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

Place a blank CD in your CD drive.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 1 to overwrite the infected MBR Code with the Standard MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.

natasha · 2011/01/03

Broni
my CD drive doesn't work. It was broken from before
please give me an alternative suggestion

broni · 2011/01/03

This is not good.
Let's leave this step for now.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

natasha · 2011/01/03

I try to run the combo fix
it said I don't have a mircro soft recovery console
and I need it for combofix to fix
should I go ahead and down load the micros soft recovery console?

broni · 2011/01/03

Combofix will install it for you. Simply allow it.

natasha · 2011/01/03

ComboFix 11-01-03.01 - user 01/03/2011 13:26:29.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.567 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\spy ware programs\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\Smart Engine
c:\documents and settings\user\Application Data\Smart Engine\cookies.sqlite
c:\documents and settings\user\Recent\kernel32.tmp
c:\documents and settings\user\Recent\SICKBOY.tmp
c:\documents and settings\user\Recent\Thumbs.db
c:\documents and settings\user\Recent\tjd.tmp
c:\windows\system32\AutoRun.inf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-12-03 to 2011-01-03 )))))))))))))))))))))))))))))))
.

2011-01-03 18:37 . 2011-01-03 18:37 -------- d-----w- c:\documents and settings\user\Application Data\Avira
2011-01-03 17:12 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 17:12 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-03 16:11 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-01-03 16:11 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-01-03 16:11 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-01-03 16:11 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-01-03 16:11 . 2011-01-03 16:11 -------- d-----w- c:\program files\Avira
2011-01-03 16:11 . 2011-01-03 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-01-03 15:33 . 2010-10-14 04:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-03 15:33 . 2011-01-03 16:08 59325912 ----a-w- C:\avira_antivir_personal_en.exe
2011-01-03 13:44 . 2011-01-03 13:44 -------- d-----w- c:\windows\system32\KB905474
2011-01-03 05:31 . 2011-01-03 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-01-03 05:31 . 2011-01-03 05:31 3137976 ----a-w- C:\DMSetup.exe
2011-01-02 17:01 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-01-02 17:00 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2011-01-02 16:59 . 2010-06-21 15:27 354304 -c----w- c:\windows\system32\dllcache\srv.sys
2011-01-02 16:59 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2011-01-02 16:59 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-01-02 16:59 . 2010-02-24 13:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2011-01-02 16:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-01-02 16:57 . 2010-04-27 13:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-01-02 16:57 . 2010-04-28 02:25 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-01-02 16:57 . 2010-04-27 13:05 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2011-01-02 16:57 . 2010-04-27 13:05 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-01-02 16:57 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-02 16:56 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-02 16:53 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2011-01-02 16:53 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2011-01-02 16:53 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2011-01-02 16:53 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2011-01-02 16:53 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2011-01-02 16:53 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2011-01-02 16:53 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2011-01-02 16:53 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2011-01-02 16:52 . 2010-06-14 07:41 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2011-01-02 16:52 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-01-02 16:51 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-01-02 16:48 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2011-01-02 16:48 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2011-01-02 16:45 . 2010-07-12 12:55 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
2011-01-02 16:42 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-02 16:41 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-01-02 16:41 . 2010-08-13 12:53 5120 ------w- c:\windows\system32\xpsp4res.dll
2011-01-02 01:12 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2011-01-02 01:12 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-02 01:11 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-01-02 01:11 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-01-01 23:33 . 2011-01-01 23:33 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\PackageAware
2011-01-01 23:27 . 2011-01-01 23:27 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2011-01-01 23:27 . 2011-01-01 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-01 23:27 . 2011-01-03 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-01 23:09 . 2011-01-01 23:09 -------- d-----w- c:\windows\system32\drivers\etc\New Folder
2011-01-01 18:34 . 2011-01-01 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-01-01 18:34 . 2011-01-01 18:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-01-01 18:10 . 2009-06-25 19:20 1446264 ----a-w- c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2011-01-01 05:03 . 2011-01-01 05:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp
2011-01-01 05:01 . 2011-01-01 05:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-01 05:00 . 2011-01-01 05:00 -------- d-----w- c:\program files\Common Files\Skype
2010-12-24 22:34 . 2010-12-24 22:34 -------- d-----w- c:\program files\100% Free Toolbar
2010-12-24 22:34 . 2010-12-24 22:34 -------- d-----w- c:\program files\DreamQuest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-02-14 13:57 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-02 15:17 . 2001-08-23 14:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 00:56 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-03 23:17 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-14 04:28 . 2010-10-14 04:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-14 04:28 . 2010-10-14 04:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype "= "c:\program files\Skype\Phone\Skype.exe" [2010-05-13 26192168]
"MSS "= "c:\documents and settings\All Users\Application Data\c1a53ea\MSc1a5_289.exe" [2010-09-07 0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPCam_Menu "= "c:\program files\Hewlett-Packard\HP Webcam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"QlbCtrl.exe "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-02-03 287288]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-09-13 202256]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]

c:\documents and settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-12-11 604776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe "=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Persistence "=c:\windows\system32\igfxpers.exe
"IgfxTray "=c:\windows\system32\igfxtray.exe
"HotKeysCmds "=c:\windows\system32\hkcmd.exe
"AESTFltr "=%SystemRoot%\system32\AESTFltr.exe /NoDlg

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/3/2011 10:11 AM 135336]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/3/2011 9:33 AM 141792]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/15/2010 1:32 AM 113536]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2/15/2010 1:36 AM 209464]
S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\ActionReplayDS.sys [5/9/2010 11:09 AM 29184]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A2.tmp --> c:\windows\system32\A2.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 07:50]

2011-01-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-1647877149-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]

2011-01-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-1647877149-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 09:02]

2011-01-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2011-01-03 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\denmoxky.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: PrivacyChoice Opt-out: addon@privacychoice.org - %profile%\extensions\addon@privacychoice.org
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-03 13:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath "= "\??\c:\windows\system32\A2.tmp "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-01-03 13:35:07 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-03 19:35

Pre-Run: 30,114,942,976 bytes free
Post-Run: 29,989,994,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 86C662158DBBF1BBE10058D190AE9F9B

natasha · 2011/01/03

ok... I am getting better at computers
lol
so what do i do next

natasha · 2011/01/03

it is working
it is working
google is working
YOU ARE AMAZINF

look I am here in Guatemala
if you ever decide to come here..
to San Pedro
we have just one yoga place here
and I teach there..
very easy to find me.

alternatively.. I will send you a loads of light during my meditation this evening
Please tell me
Are you male or female.. I can't gather from the name
Thank you
so much

natasha · 2011/01/03

google,
gmail
yahoo
all working again
wow
super man or women

I can't tell you.. this is the first time I have done anything like this
I mean been able to follow instructions relating to compu

broni · 2011/01/03

I'm glad to see you happy

look I am here in Guatemala
if you ever decide to come here..
to San Pedro
Click to expand...

Haha...coming right over

We still need to run some checks to make sure your computer is totally clean.

Combofix looks good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

broni · 2011/01/03

No need to quote my script

natasha · 2011/01/03

ots log 2

OTL Extras logfile created on: 1/3/2011 2:14:38 PM - Run 1
OTL by OldTimer - Version 3.2.20.1 Folder = C:\Documents and Settings\user\Desktop\spy ware programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 465.00 Mb Available Physical Memory | 46.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 27.96 Gb Free Space | 57.25% Space Free | Partition Type: NTFS
Drive D: | 74.22 Gb Total Space | 72.81 Gb Free Space | 98.10% Space Free | Partition Type: NTFS

Computer Name: RAJ | User Name: user | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.50 A1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{732A3F80-008B-4350-BD58-EC5AE98707B8}" = HP Common Access Service Library
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = HP Integrated Module with Bluetooth wireless technology
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F639E2A2-FE6B-4527-B8BE-C1C423B81844}" = HP Webcam
"7-Zip" = 7-Zip 9.20
"Action Replay Code Manager_is1" = Action Replay Code Manager
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadband Internet" = Broadband Internet
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{F639E2A2-FE6B-4527-B8BE-C1C423B81844}" = HP Webcam
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marvell Miniport Driver" = Marvell Miniport Driver
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Picasa 3" = Picasa 3
"RealAlt_is1" = Real Alternative 2.0.2
"RealPlayer 12.0" = RealPlayer
"VLC media player" = VideoLAN VLC media player 0.8.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/12/2010 8:13:27 PM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.5.0, faulting module libwxwidgets_plugin.dll,
version 0.0.0.0, fault address 0x0016ec6c.

Error - 12/13/2010 3:04:55 PM | Computer Name = RAJ | Source = McLogEvent | ID = 259
Description =

Error - 12/13/2010 7:44:50 PM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application vlc.exe, version 0.8.5.0, faulting module libwxwidgets_plugin.dll,
version 0.0.0.0, fault address 0x0016ec73.

Error - 12/17/2010 2:41:52 PM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application divxupdate.exe, version 1.0.1.10, faulting module
msvcp80.dll, version 8.0.50727.4053, fault address 0x000100b5.

Error - 12/24/2010 8:30:19 PM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application itunes.exe, version 9.1.0.79, faulting module
quicktime.qts, version 7.66.71.0, fault address 0x00104124.

Error - 1/1/2011 2:31:02 PM | Computer Name = RAJ | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/1/2011 2:31:02 PM | Computer Name = RAJ | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 1/3/2011 12:52:12 AM | Computer Name = RAJ | Source = McLogEvent | ID = 5019
Description =

Error - 1/3/2011 12:52:14 AM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application Mcshield.exe, version 13.3.1.100, faulting module
unknown, version 0.0.0.0, fault address 0x6eff2d0a.

Error - 1/3/2011 9:36:57 AM | Computer Name = RAJ | Source = Application Error | ID = 1000
Description = Faulting application divxupdate.exe, version 1.0.1.10, faulting module
msvcp80.dll, version 8.0.50727.4053, fault address 0x000100b5.

[ OSession Events ]
Error - 9/1/2010 12:24:22 AM | Computer Name = RAJ | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 38607
seconds with 17100 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 1/2/2011 9:27:32 PM | Computer Name = RAJ | Source = Service Control Manager | ID = 7034
Description = The McAfee Task Manager service terminated unexpectedly. It has done
this 1 time(s).

Error - 1/2/2011 9:27:32 PM | Computer Name = RAJ | Source = Service Control Manager | ID = 7034
Description = The hpqwmiex service terminated unexpectedly. It has done this 1
time(s).

Error - 1/2/2011 9:27:32 PM | Computer Name = RAJ | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 1/2/2011 9:27:32 PM | Computer Name = RAJ | Source = Service Control Manager | ID = 7034
Description = The Com4QLBEx service terminated unexpectedly. It has done this 1
time(s).

Error - 1/2/2011 9:27:32 PM | Computer Name = RAJ | Source = Service Control Manager | ID = 7031
Description = The Bluetooth Service service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 1/3/2011 12:51:14 AM | Computer Name = RAJ | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 1/3/2011 1:26:22 AM | Computer Name = RAJ | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.3.100 for the Network Card with network
address 002655B02641 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 1/3/2011 12:08:45 PM | Computer Name = RAJ | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.CRT could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 1/3/2011 12:08:45 PM | Computer Name = RAJ | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error
message: The referenced assembly is not installed on your system. .

Error - 1/3/2011 12:08:45 PM | Computer Name = RAJ | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\redist.dll.
Reference
error message: The operation completed successfully. .

< End of report >

natasha · 2011/01/03

your script was on my paste function.. sorry

do you want me to send the OTS logs again?

Log in or Sign up

Solved Google redirect

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

natasha Inactive Thread Starter

natasha Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Google redirect

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

broni Moderator Malware Analyst

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

natasha Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

natasha Inactive Thread Starter

natasha Inactive Thread Starter

Share This Page

Useful Searches