1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Can't remove Google redirect virus

Discussion in 'Malware and Virus Removal Archive' started by Wilber69, 2011/03/16.

Page 3 of 3
  1. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    .....
     
    broni,
    #41
  2. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    Sorry, my body is here but my mind isn't as much...

    I think you hit the nail on the head. It doesn't redirect in safe mode.

    Wil
     
    Wilber69,
    #42


  3. to hide this advert.

  4. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Something must be loading in normal mode, which is causing this...

    Try one more thing....

    In normal mode...

    Close IE.
    Go Start>All Programs>Accessories>System Tools, and click on Internet Explorer (no add-ons). Same problem?
     
    broni,
    #43
  5. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    Yes, same problem. I am going to go through the installed programs and see if there is something weird there.
     
    Wilber69,
    #44
  6. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file, download fresh one and post new log.
     
    broni,
    #45
  7. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    ComboFix 11-03-22.09 - Robert 03/23/2011 12:56:05.11.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1021.412 [GMT -5:00]
    Running from: c:\users\Robert\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-23 18:01 . 2011-03-23 18:01 -------- d-----w- c:\users\Robert\AppData\Local\temp
    2011-03-23 18:01 . 2011-03-23 18:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-23 18:01 . 2011-03-23 18:01 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2011-03-19 23:21 . 2011-03-19 23:21 -------- d-----w- C:\_OTL
    2011-03-17 17:05 . 2011-03-23 17:58 -------- d-sh--w- C:\DrWeb Quarantine
    2011-03-16 23:25 . 2011-03-16 23:25 -------- d-----w- c:\users\Robert\AppData\Local\Mozilla
    2011-03-14 18:46 . 2011-02-03 12:04 139768 ----a-w- c:\windows\system32\drivers\dwprot.sys
    2011-03-14 18:46 . 2011-01-26 09:45 93944 ----a-w- c:\windows\system32\drivers\spiderg3.sys
    2011-03-14 18:46 . 2011-03-14 18:46 -------- d-----w- c:\programdata\Doctor Web
    2011-03-14 18:46 . 2011-03-23 17:18 -------- d-----w- c:\program files\DrWeb
    2011-03-14 18:46 . 2011-03-14 18:46 -------- d-----w- c:\program files\Common Files\Doctor Web
    2011-03-09 22:11 . 2011-03-09 22:11 -------- d-----w- c:\program files\ESET
    2011-03-09 21:48 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 21:48 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 21:48 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 21:48 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 21:48 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 21:48 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-08 21:21 . 2011-03-08 21:21 -------- d-----w- c:\users\Robert\AppData\Roaming\Malwarebytes
    2011-03-08 21:21 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-03-08 21:21 . 2011-03-16 19:24 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-08 21:21 . 2011-03-08 21:21 -------- d-----w- c:\programdata\Malwarebytes
    2011-03-08 21:21 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-03-08 17:27 . 2011-03-08 17:27 -------- d-----w- c:\users\Robert\AppData\Roaming\Windows Live Writer
    2011-03-08 17:27 . 2011-03-08 17:27 -------- d-----w- c:\users\Robert\AppData\Local\Windows Live Writer
    2011-03-07 23:12 . 2011-03-15 15:05 -------- d-----w- c:\users\Robert\DoctorWeb
    2011-03-07 22:56 . 2011-03-07 22:56 -------- d-----w- c:\program files\CCleaner
    2011-03-07 22:30 . 2011-03-07 22:30 -------- d-----w- c:\program files\Common Files\Java
    2011-03-07 20:38 . 2011-03-07 20:38 -------- d-----w- c:\users\Robert\AppData\Roaming\SUPERAntiSpyware.com
    2011-03-07 20:38 . 2011-03-07 20:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-02-28 18:26 . 2011-02-28 18:26 52736 --sha-r- c:\users\Robert\AppData\Roaming\dxdiago.dll
    2011-02-27 06:34 . 2011-02-27 06:34 -------- d-----w- c:\windows\Speeditup Free
    2011-02-27 06:33 . 2011-02-27 06:33 9216 ----a-r- c:\users\Robert\AppData\Roaming\Microsoft\Installer\{7426428E-71D4-452C-BA13-B14E5EB52859}\Icon7426428E16.exe
    2011-02-23 20:16 . 2011-02-28 17:40 -------- d-----w- c:\users\Robert\AppData\Local\Tific
    2011-02-23 20:16 . 2011-02-23 20:16 -------- d-----w- c:\users\Robert\AppData\Roaming\Tific
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-08 21:11 . 2010-06-24 17:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-02-03 03:40 . 2011-01-25 17:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-20 16:37 . 2011-02-09 12:20 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 12:20 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 12:20 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 12:20 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08 . 2011-02-09 12:20 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 12:20 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07 . 2011-02-09 12:20 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 12:20 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 12:20 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 12:20 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 12:20 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 12:20 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 12:20 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 12:20 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 12:20 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 12:20 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 12:20 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 12:20 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-01-20 14:24 . 2011-02-09 12:20 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 12:20 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 12:20 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 12:20 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 12:20 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 12:20 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 12:20 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 12:20 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-20 13:44 . 2011-02-09 12:20 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-01-20 13:44 . 2011-02-09 12:20 797184 ----a-w- c:\windows\system32\FntCache.dll
    2011-01-13 09:41 . 2011-02-11 07:49 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6D90D74-4052-45DA-8479-239B9C858584}\mpengine.dll
    2011-01-08 08:47 . 2011-02-09 12:20 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-09 12:20 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-09 12:20 2039808 ----a-w- c:\windows\system32\win32k.sys
    2010-12-28 15:55 . 2011-01-19 19:34 413696 ----a-w- c:\windows\system32\odbc32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "WindowsWelcomeCenter "= "oobefldr.dll" [2009-04-11 2153472]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "SBQM "= "c:\users\Robert\AppData\Roaming\dxdiago.dll" [2011-02-28 52736]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    "SpIDerAgent "= "c:\program files\DrWeb\SpIDerAgent.exe" [2011-02-03 1477872]
    "SpIDerMail "= "c:\program files\DrWeb\spiderml.exe" [2011-01-26 1572592]
    .
    c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 0 (0x0)
    "ConsentPromptBehaviorUser "= 0 (0x0)
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv
    .
    R1 SASDIFSV;SASDIFSV;c:\users\Robert\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
    R1 SASKUTIL;SASKUTIL;c:\users\Robert\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
    R2 0324881299610170mcinstcleanup;McAfee Application Installer Cleanup (0324881299610170);c:\users\Robert\AppData\Local\Temp\032488~1.EXE [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-01-08 136176]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 DwProt;DrWeb Protection;c:\windows\system32\drivers\dwprot.sys [2011-02-03 139768]
    S0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [2011-01-26 93944]
    S2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);c:\program files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [2011-02-09 1667416]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-16 369256]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-14 c:\windows\Tasks\Dr.Web Daily scan.job
    - c:\program files\DrWeb\DrWeb32w.exe [2010-03-18 09:51]
    .
    2011-03-23 c:\windows\Tasks\Dr.Web Update.job
    - c:\program files\DrWeb\DrWebUpW.exe [2010-04-07 12:04]
    .
    2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-08 01:01]
    .
    2011-03-23 c:\windows\Tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: c:\program files\DrWeb\drwebsp.dll
    FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\6c8ms2sn.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-23 13:01
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    "ImagePath "= "system32\drivers\dwprot.sys "
    "Name "= "ImagePath "
    "ImagePath "= "system32\drivers\dwprot.sys "
    "Name "= "ImagePath "
    "Name "= "ImagePath "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3692)
    c:\program files\DrWeb\drwebsp.dll
    .
    Completion time: 2011-03-23 13:03:20
    ComboFix-quarantined-files.txt 2011-03-23 18:03
    ComboFix2.txt 2011-03-17 17:12
    ComboFix3.txt 2011-03-16 22:09
    ComboFix4.txt 2011-03-16 16:35
    ComboFix5.txt 2011-03-23 17:54
    .
    Pre-Run: 269,501,890,560 bytes free
    Post-Run: 269,477,974,016 bytes free
    .
    - - End Of File - - 69F6A5CCA93828F94BA9912764C2AF82
     
    Wilber69,
    #46
  8. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Looks clean.

    One question...
    I believe, you're using Dr.Web as your security program?
    Now, I can see MSE running, but you still have some Dr.Web leftovers.
    What's the deal there?

    Re-run OTL "Quick scan" (no custom script) and post fresh log.
    Only one log will show up.
     
    broni,
    #47
  9. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    Waiting for OTL to finish.

    It's actually the opposite. I am running Dr. Web but MSE was uninstalled. I saw the warnings when I started Combfix too. I looked for any signs of MSE but can't find any.

    OTL scan:

    OTL logfile created on: 3/23/2011 1:30:47 PM - Run 2
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Robert\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19019)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,021.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 32.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 71.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 291.25 Gb Total Space | 251.01 Gb Free Space | 86.18% Space Free | Partition Type: NTFS
    Drive D: | 5.37 Gb Total Space | 2.44 Gb Free Space | 45.39% Space Free | Partition Type: NTFS
    Drive F: | 1.86 Gb Total Space | 0.28 Gb Free Space | 15.03% Space Free | Partition Type: FAT

    Computer Name: ROBERT-PC | User Name: Robert | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    PRC - [2011/02/09 07:26:55 | 001,667,416 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
    PRC - [2011/02/03 07:04:52 | 001,477,872 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\DrWeb\spideragent.exe
    PRC - [2011/01/26 04:45:54 | 001,572,592 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\DrWeb\spiderml.exe
    PRC - [2010/10/16 13:42:12 | 000,792,680 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    PRC - [2010/10/16 12:46:40 | 000,369,256 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (0324881299610170mcinstcleanup) McAfee Application Installer Cleanup (0324881299610170)
    SRV - [2011/02/09 07:26:55 | 001,667,416 | ---- | M] (Doctor Web, Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe -- (DrWebEngine) Dr.Web Scanning Engine (DrWebEngine)
    SRV - [2010/10/16 12:46:40 | 000,369,256 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
    DRV - [2011/02/03 07:04:50 | 000,139,768 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\dwprot.sys -- (DwProt)
    DRV - [2011/01/26 04:45:53 | 000,093,944 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\spiderg3.sys -- (SpiderG3)
    DRV - [2010/10/16 13:55:00 | 010,084,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2D D4 22 90 87 E9 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 18:25:39 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/16 18:25:32 | 000,000,000 | ---D | M]

    [2011/03/16 18:25:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Robert\AppData\Roaming\mozilla\Extensions
    [2011/03/17 10:04:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Robert\AppData\Roaming\mozilla\Firefox\Profiles\6c8ms2sn.default\extensions
    [2011/03/17 10:04:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Robert\AppData\Roaming\mozilla\Firefox\Profiles\6c8ms2sn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/03/16 18:25:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2011/03/08 14:49:43 | 000,000,002 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [SpIDerAgent] C:\Program Files\DrWeb\SpIDerAgent.exe (Doctor Web, Ltd.)
    O4 - HKLM..\Run: [SpIDerMail] C:\Program Files\DrWeb\spiderml.exe (Doctor Web, Ltd.)
    O4 - HKCU..\Run: [SBQM] C:\Users\Robert\AppData\Roaming\dxdiago.dll ()
    O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/03/23 13:03:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/03/23 13:03:22 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\temp
    [2011/03/23 13:02:38 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/03/23 12:53:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2011/03/19 18:28:52 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Robert\Desktop\TFC.exe
    [2011/03/19 18:21:01 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/03/19 17:48:42 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    [2011/03/17 12:05:34 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
    [2011/03/16 18:25:38 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Mozilla
    [2011/03/16 18:25:38 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Mozilla
    [2011/03/16 18:25:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
    [2011/03/16 18:25:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2011/03/16 14:44:29 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\gmer
    [2011/03/14 13:46:50 | 000,139,768 | ---- | C] (Doctor Web, Ltd.) -- C:\Windows\System32\drivers\dwprot.sys
    [2011/03/14 13:46:44 | 000,093,944 | ---- | C] (Doctor Web, Ltd.) -- C:\Windows\System32\drivers\spiderg3.sys
    [2011/03/14 13:46:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dr.Web
    [2011/03/14 13:46:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Doctor Web
    [2011/03/14 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
    [2011/03/14 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Doctor Web
    [2011/03/14 13:41:08 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\tdsskiller[1]
    [2011/03/09 17:11:55 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2011/03/08 16:59:45 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\GooredFix Backups
    [2011/03/08 16:21:26 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Malwarebytes
    [2011/03/08 16:21:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/03/08 16:21:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/03/08 16:21:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/03/08 16:21:21 | 000,000,000 | -H-D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/03/08 16:21:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/03/08 14:47:32 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\OneNote Notebooks
    [2011/03/08 13:46:17 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\tdsskiller
    [2011/03/08 12:27:04 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Windows Live Writer
    [2011/03/08 12:27:04 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Windows Live Writer
    [2011/03/08 11:28:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/03/08 11:28:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/03/08 11:28:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/03/08 11:27:36 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/03/08 11:27:09 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/03/07 18:12:22 | 000,000,000 | ---D | C] -- C:\Users\Robert\DoctorWeb
    [2011/03/07 17:56:17 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
    [2011/03/07 17:56:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2011/03/07 17:31:41 | 000,000,000 | ---D | C] -- C:\Windows\pss
    [2011/03/07 17:30:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2011/03/07 15:38:59 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
    [2011/03/07 15:38:59 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2011/03/02 13:04:46 | 000,000,000 | R--D | C] -- C:\Users\Robert\Documents\New Briefcase
    [2011/03/02 11:45:38 | 001,374,808 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Robert\Desktop\TDSSKiller.exe
    [2011/02/27 01:34:02 | 000,000,000 | ---D | C] -- C:\Windows\Speeditup Free
    [2011/02/23 15:16:54 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Tific
    [2011/02/23 15:16:54 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Tific

    ========== Files - Modified Within 30 Days ==========

    [2011/03/23 13:31:38 | 000,000,394 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job
    [2011/03/23 13:16:20 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\Dr.Web Update.job
    [2011/03/23 12:54:06 | 000,606,420 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/03/23 12:54:06 | 000,104,430 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/03/23 12:51:02 | 004,300,354 | R--- | M] () -- C:\Users\Robert\Desktop\ComboFix.exe
    [2011/03/23 12:46:17 | 000,001,356 | ---- | M] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
    [2011/03/23 12:46:11 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/03/23 12:46:11 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/03/23 12:46:07 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/03/23 12:45:57 | 1071,099,904 | -HS- | M] () -- C:\hiberfil.sys
    [2011/03/19 18:28:23 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\TFC.exe
    [2011/03/19 18:22:21 | 000,879,028 | ---- | M] () -- C:\Users\Robert\Desktop\SecurityCheck.exe
    [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    [2011/03/18 20:19:41 | 000,133,632 | ---- | M] () -- C:\Users\Robert\Desktop\RKUnhookerLE.EXE
    [2011/03/16 18:25:42 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
    [2011/03/16 18:25:36 | 000,001,753 | ---- | M] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/03/16 18:25:36 | 000,001,729 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/03/16 16:29:58 | 000,625,664 | ---- | M] () -- C:\Users\Robert\Desktop\dds.scr
    [2011/03/16 16:22:08 | 000,080,384 | ---- | M] () -- C:\Users\Robert\Desktop\MBRCheck.exe
    [2011/03/15 10:51:12 | 001,263,721 | ---- | M] () -- C:\Users\Robert\Desktop\tdsskiller.zip
    [2011/03/14 14:29:32 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\Dr.Web Daily scan.job
    [2011/03/14 13:46:37 | 000,000,824 | ---- | M] () -- C:\Users\Public\Desktop\Dr.Web Scanner.lnk
    [2011/03/08 14:49:43 | 000,000,002 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/03/08 14:47:44 | 000,003,656 | -HS- | M] () -- C:\Windows\System32\drivers\etc\OneNote Table Of Contents.onetoc2
    [2011/03/08 14:47:31 | 000,001,116 | ---- | M] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/03/07 17:57:11 | 000,079,184 | ---- | M] () -- C:\Users\Robert\Documents\cc_20110307_165708.reg
    [2011/03/07 17:56:17 | 000,000,809 | ---- | M] () -- C:\Users\Robert\Desktop\CCleaner.lnk
    [2011/03/03 15:35:10 | 000,288,107 | ---- | M] () -- C:\Users\Robert\Desktop\gmer.zip
    [2011/03/02 13:48:39 | 000,000,948 | ---- | M] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/03/02 13:06:02 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2011/03/02 13:05:14 | 000,005,632 | ---- | M] () -- C:\Users\Robert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/03/02 11:45:38 | 001,374,808 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Robert\Desktop\TDSSKiller.exe
    [2011/02/28 13:26:57 | 000,052,736 | RHS- | M] () -- C:\Users\Robert\AppData\Roaming\dxdiago.dll
    [2011/02/27 01:33:16 | 000,001,745 | ---- | M] () -- C:\Users\Robert\Desktop\Create Your Own Video Screensaver!.lnk

    ========== Files Created - No Company Name ==========

    [2011/03/23 12:53:14 | 004,300,354 | R--- | C] () -- C:\Users\Robert\Desktop\ComboFix.exe
    [2011/03/23 12:36:14 | 1071,099,904 | -HS- | C] () -- C:\hiberfil.sys
    [2011/03/19 18:23:56 | 000,879,028 | ---- | C] () -- C:\Users\Robert\Desktop\SecurityCheck.exe
    [2011/03/18 20:20:25 | 000,133,632 | ---- | C] () -- C:\Users\Robert\Desktop\RKUnhookerLE.EXE
    [2011/03/16 18:25:42 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/03/16 18:25:36 | 000,001,753 | ---- | C] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/03/16 18:25:36 | 000,001,729 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/03/16 16:30:26 | 000,625,664 | ---- | C] () -- C:\Users\Robert\Desktop\dds.scr
    [2011/03/16 16:22:36 | 000,080,384 | ---- | C] () -- C:\Users\Robert\Desktop\MBRCheck.exe
    [2011/03/16 14:44:24 | 000,288,107 | ---- | C] () -- C:\Users\Robert\Desktop\gmer.zip
    [2011/03/14 13:46:48 | 000,000,288 | ---- | C] () -- C:\Windows\tasks\Dr.Web Daily scan.job
    [2011/03/14 13:46:45 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\Dr.Web Update.job
    [2011/03/14 13:46:37 | 000,000,824 | ---- | C] () -- C:\Users\Public\Desktop\Dr.Web Scanner.lnk
    [2011/03/09 16:45:27 | 001,263,721 | ---- | C] () -- C:\Users\Robert\Desktop\tdsskiller.zip
    [2011/03/08 14:47:31 | 000,001,116 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/03/08 11:28:45 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/03/08 11:28:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/03/08 11:28:45 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/03/08 11:28:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/03/08 11:28:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/03/07 18:06:58 | 000,001,977 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    [2011/03/07 17:57:10 | 000,079,184 | ---- | C] () -- C:\Users\Robert\Documents\cc_20110307_165708.reg
    [2011/03/07 17:56:17 | 000,000,809 | ---- | C] () -- C:\Users\Robert\Desktop\CCleaner.lnk
    [2011/03/02 11:09:02 | 000,000,394 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job
    [2011/02/28 13:26:57 | 000,052,736 | RHS- | C] () -- C:\Users\Robert\AppData\Roaming\dxdiago.dll
    [2011/02/27 01:33:16 | 000,001,745 | ---- | C] () -- C:\Users\Robert\Desktop\Create Your Own Video Screensaver!.lnk
    [2011/02/05 23:47:01 | 000,005,632 | ---- | C] () -- C:\Users\Robert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/02/01 14:07:54 | 000,000,552 | ---- | C] () -- C:\Users\Robert\AppData\Local\d3d8caps.dat
    [2011/01/20 18:48:08 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2011/01/20 18:48:07 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2011/01/06 17:30:14 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2011/01/06 16:07:08 | 000,001,356 | ---- | C] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
    [2010/01/13 21:41:00 | 000,309,248 | ---- | C] () -- C:\Windows\System32\sqlite36_engine.dll
    [2010/01/13 21:38:00 | 000,023,552 | ---- | C] () -- C:\Windows\System32\DirectCOM.dll
    [2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:47:37 | 000,264,480 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 05:33:01 | 000,606,420 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,104,430 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/02/13 00:31:56 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\com.w3i.intune
    [2011/02/09 00:40:34 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\FreeFileViewer
    [2011/02/04 08:44:07 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Image Zone Express
    [2011/02/05 23:45:57 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\MusicNet
    [2011/02/04 08:44:07 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Printer Info Cache
    [2011/01/15 22:35:47 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\RegistryKeys
    [2011/02/23 15:16:54 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Tific
    [2011/03/08 12:27:04 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Windows Live Writer
    [2011/03/14 14:29:32 | 000,000,288 | ---- | M] () -- C:\Windows\Tasks\Dr.Web Daily scan.job
    [2011/03/23 13:16:20 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\Dr.Web Update.job
    [2011/03/23 12:45:09 | 000,030,178 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2011/03/23 13:31:38 | 000,000,394 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job

    ========== Purity Check ==========



    < End of report >
     
    Wilber69,
    #48
  10. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
SRV - File not found [Auto | Stopped] -- -- (0324881299610170mcinstcleanup) McAfee Application Installer Cleanup (0324881299610170)
O4 - HKCU..\Run: [SBQM] C:\Users\Robert\AppData\Roaming\dxdiago.dll ()
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
[2011/02/28 13:26:57 | 000,052,736 | RHS- | M] () -- C:\Users\Robert\AppData\Roaming\dxdiago.dll

:Commands
[purity]
[emptytemp]
[emptyflash]
[resethosts]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply. Only one log will be created.
     
    broni,
    #49
  11. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    All processes killed
    ========== OTL ==========
    Error: No service named 0324881299610170mcinstcleanup) McAfee Application Installer Cleanup (0324881299610170 was found to stop!
    Service\Driver key 0324881299610170mcinstcleanup) McAfee Application Installer Cleanup (0324881299610170 not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\SBQM deleted successfully.
    C:\Users\Robert\AppData\Roaming\dxdiago.dll moved successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    File C:\Users\Robert\AppData\Roaming\dxdiago.dll not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Robert
    ->Temp folder emptied: 380 bytes
    ->Temporary Internet Files folder emptied: 699312 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 4179997 bytes
    ->Flash cache emptied: 892 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 5.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Robert
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTL by OldTimer - Version 3.2.22.3 log created on 03232011_135741

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    Wilber69,
    #50
  12. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is redirection now?

     
    broni,
    #51
  13. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    OTL logfile created on: 3/23/2011 2:07:11 PM - Run 3
    OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Robert\Desktop
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.19019)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,021.00 Mb Total Physical Memory | 299.00 Mb Available Physical Memory | 29.00% Memory free
    2.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 291.25 Gb Total Space | 250.88 Gb Free Space | 86.14% Space Free | Partition Type: NTFS
    Drive D: | 5.37 Gb Total Space | 2.44 Gb Free Space | 45.39% Space Free | Partition Type: NTFS
    Drive F: | 1.86 Gb Total Space | 0.28 Gb Free Space | 15.03% Space Free | Partition Type: FAT

    Computer Name: ROBERT-PC | User Name: Robert | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    PRC - [2011/02/09 07:26:55 | 001,667,416 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
    PRC - [2011/02/03 07:04:52 | 001,477,872 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\DrWeb\spideragent.exe
    PRC - [2011/01/26 04:45:54 | 001,572,592 | ---- | M] (Doctor Web, Ltd.) -- C:\Program Files\DrWeb\spiderml.exe
    PRC - [2010/10/16 13:42:12 | 000,792,680 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
    PRC - [2010/10/16 12:46:40 | 000,369,256 | ---- | M] (NVIDIA Corporation) -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (0324881299610170mcinstcleanup) McAfee Application Installer Cleanup (0324881299610170)
    SRV - [2011/02/09 07:26:55 | 001,667,416 | ---- | M] (Doctor Web, Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe -- (DrWebEngine) Dr.Web Scanning Engine (DrWebEngine)
    SRV - [2010/10/16 12:46:40 | 000,369,256 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/02/03 07:04:50 | 000,139,768 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\dwprot.sys -- (DwProt)
    DRV - [2011/01/26 04:45:53 | 000,093,944 | ---- | M] (Doctor Web, Ltd.) [File_System | Boot | Running] -- C:\Windows\system32\drivers\spiderg3.sys -- (SpiderG3)
    DRV - [2010/10/16 13:55:00 | 010,084,360 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2D D4 22 90 87 E9 CB 01 [binary data]
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/16 18:25:39 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/16 18:25:32 | 000,000,000 | ---D | M]

    [2011/03/16 18:25:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Robert\AppData\Roaming\mozilla\Extensions
    [2011/03/17 10:04:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Robert\AppData\Roaming\mozilla\Firefox\Profiles\6c8ms2sn.default\extensions
    [2011/03/17 10:04:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Robert\AppData\Roaming\mozilla\Firefox\Profiles\6c8ms2sn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/03/16 18:25:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2011/03/23 13:57:47 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [SpIDerAgent] C:\Program Files\DrWeb\SpIDerAgent.exe (Doctor Web, Ltd.)
    O4 - HKLM..\Run: [SpIDerMail] C:\Program Files\DrWeb\spiderml.exe (Doctor Web, Ltd.)
    O4 - HKCU..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\DrWeb\drwebsp.dll (Doctor Web, Ltd.)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/03/23 13:03:22 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2011/03/23 13:03:22 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\temp
    [2011/03/23 13:02:38 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/03/23 12:53:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2011/03/19 18:28:52 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\Robert\Desktop\TFC.exe
    [2011/03/19 18:21:01 | 000,000,000 | ---D | C] -- C:\_OTL
    [2011/03/19 17:48:42 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    [2011/03/17 12:05:34 | 000,000,000 | -HSD | C] -- C:\DrWeb Quarantine
    [2011/03/16 18:25:38 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Mozilla
    [2011/03/16 18:25:38 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Mozilla
    [2011/03/16 18:25:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
    [2011/03/16 18:25:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2011/03/16 14:44:29 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\gmer
    [2011/03/14 13:46:50 | 000,139,768 | ---- | C] (Doctor Web, Ltd.) -- C:\Windows\System32\drivers\dwprot.sys
    [2011/03/14 13:46:44 | 000,093,944 | ---- | C] (Doctor Web, Ltd.) -- C:\Windows\System32\drivers\spiderg3.sys
    [2011/03/14 13:46:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dr.Web
    [2011/03/14 13:46:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Doctor Web
    [2011/03/14 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\DrWeb
    [2011/03/14 13:46:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Doctor Web
    [2011/03/14 13:41:08 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\tdsskiller[1]
    [2011/03/09 17:11:55 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2011/03/08 16:59:45 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\GooredFix Backups
    [2011/03/08 16:21:26 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Malwarebytes
    [2011/03/08 16:21:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/03/08 16:21:22 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/03/08 16:21:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/03/08 16:21:21 | 000,000,000 | -H-D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/03/08 16:21:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/03/08 14:47:32 | 000,000,000 | ---D | C] -- C:\Users\Robert\Documents\OneNote Notebooks
    [2011/03/08 13:46:17 | 000,000,000 | ---D | C] -- C:\Users\Robert\Desktop\tdsskiller
    [2011/03/08 12:27:04 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Windows Live Writer
    [2011/03/08 12:27:04 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Windows Live Writer
    [2011/03/08 11:28:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/03/08 11:28:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/03/08 11:28:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/03/08 11:27:36 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/03/08 11:27:09 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/03/07 18:12:22 | 000,000,000 | ---D | C] -- C:\Users\Robert\DoctorWeb
    [2011/03/07 17:56:17 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CCleaner
    [2011/03/07 17:56:16 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
    [2011/03/07 17:31:41 | 000,000,000 | ---D | C] -- C:\Windows\pss
    [2011/03/07 17:30:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
    [2011/03/07 15:38:59 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\SUPERAntiSpyware.com
    [2011/03/07 15:38:59 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2011/03/02 13:04:46 | 000,000,000 | R--D | C] -- C:\Users\Robert\Documents\New Briefcase
    [2011/03/02 11:45:38 | 001,374,808 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Robert\Desktop\TDSSKiller.exe
    [2011/02/27 01:34:02 | 000,000,000 | ---D | C] -- C:\Windows\Speeditup Free
    [2011/02/23 15:16:54 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Roaming\Tific
    [2011/02/23 15:16:54 | 000,000,000 | ---D | C] -- C:\Users\Robert\AppData\Local\Tific

    ========== Files - Modified Within 30 Days ==========

    [2011/03/23 14:09:29 | 000,000,394 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job
    [2011/03/23 14:04:09 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/03/23 14:04:09 | 000,004,112 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/03/23 14:03:57 | 000,001,356 | ---- | M] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
    [2011/03/23 14:03:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/03/23 14:03:44 | 1071,095,808 | -HS- | M] () -- C:\hiberfil.sys
    [2011/03/23 13:57:47 | 000,000,098 | ---- | M] () -- C:\Windows\System32\drivers\etc\Hosts
    [2011/03/23 13:46:09 | 000,000,346 | ---- | M] () -- C:\Windows\tasks\Dr.Web Update.job
    [2011/03/23 12:54:06 | 000,606,420 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/03/23 12:54:06 | 000,104,430 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/03/23 12:51:02 | 004,300,354 | R--- | M] () -- C:\Users\Robert\Desktop\ComboFix.exe
    [2011/03/19 18:28:23 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\TFC.exe
    [2011/03/19 18:22:21 | 000,879,028 | ---- | M] () -- C:\Users\Robert\Desktop\SecurityCheck.exe
    [2011/03/19 06:53:13 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Robert\Desktop\OTL.exe
    [2011/03/18 20:19:41 | 000,133,632 | ---- | M] () -- C:\Users\Robert\Desktop\RKUnhookerLE.EXE
    [2011/03/16 18:25:42 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
    [2011/03/16 18:25:36 | 000,001,753 | ---- | M] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/03/16 18:25:36 | 000,001,729 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/03/16 16:29:58 | 000,625,664 | ---- | M] () -- C:\Users\Robert\Desktop\dds.scr
    [2011/03/16 16:22:08 | 000,080,384 | ---- | M] () -- C:\Users\Robert\Desktop\MBRCheck.exe
    [2011/03/15 10:51:12 | 001,263,721 | ---- | M] () -- C:\Users\Robert\Desktop\tdsskiller.zip
    [2011/03/14 14:29:32 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\Dr.Web Daily scan.job
    [2011/03/14 13:46:37 | 000,000,824 | ---- | M] () -- C:\Users\Public\Desktop\Dr.Web Scanner.lnk
    [2011/03/08 14:47:44 | 000,003,656 | -HS- | M] () -- C:\Windows\System32\drivers\etc\OneNote Table Of Contents.onetoc2
    [2011/03/08 14:47:31 | 000,001,116 | ---- | M] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/03/07 17:57:11 | 000,079,184 | ---- | M] () -- C:\Users\Robert\Documents\cc_20110307_165708.reg
    [2011/03/07 17:56:17 | 000,000,809 | ---- | M] () -- C:\Users\Robert\Desktop\CCleaner.lnk
    [2011/03/03 15:35:10 | 000,288,107 | ---- | M] () -- C:\Users\Robert\Desktop\gmer.zip
    [2011/03/02 13:48:39 | 000,000,948 | ---- | M] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/03/02 13:06:02 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
    [2011/03/02 13:05:14 | 000,005,632 | ---- | M] () -- C:\Users\Robert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/03/02 11:45:38 | 001,374,808 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Robert\Desktop\TDSSKiller.exe
    [2011/02/27 01:33:16 | 000,001,745 | ---- | M] () -- C:\Users\Robert\Desktop\Create Your Own Video Screensaver!.lnk

    ========== Files Created - No Company Name ==========

    [2011/03/23 12:53:14 | 004,300,354 | R--- | C] () -- C:\Users\Robert\Desktop\ComboFix.exe
    [2011/03/23 12:36:14 | 1071,095,808 | -HS- | C] () -- C:\hiberfil.sys
    [2011/03/19 18:23:56 | 000,879,028 | ---- | C] () -- C:\Users\Robert\Desktop\SecurityCheck.exe
    [2011/03/18 20:20:25 | 000,133,632 | ---- | C] () -- C:\Users\Robert\Desktop\RKUnhookerLE.EXE
    [2011/03/16 18:25:42 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/03/16 18:25:36 | 000,001,753 | ---- | C] () -- C:\Users\Robert\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    [2011/03/16 18:25:36 | 000,001,729 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
    [2011/03/16 16:30:26 | 000,625,664 | ---- | C] () -- C:\Users\Robert\Desktop\dds.scr
    [2011/03/16 16:22:36 | 000,080,384 | ---- | C] () -- C:\Users\Robert\Desktop\MBRCheck.exe
    [2011/03/16 14:44:24 | 000,288,107 | ---- | C] () -- C:\Users\Robert\Desktop\gmer.zip
    [2011/03/14 13:46:48 | 000,000,288 | ---- | C] () -- C:\Windows\tasks\Dr.Web Daily scan.job
    [2011/03/14 13:46:45 | 000,000,346 | ---- | C] () -- C:\Windows\tasks\Dr.Web Update.job
    [2011/03/14 13:46:37 | 000,000,824 | ---- | C] () -- C:\Users\Public\Desktop\Dr.Web Scanner.lnk
    [2011/03/09 16:45:27 | 001,263,721 | ---- | C] () -- C:\Users\Robert\Desktop\tdsskiller.zip
    [2011/03/08 14:47:31 | 000,001,116 | ---- | C] () -- C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    [2011/03/08 11:28:45 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/03/08 11:28:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/03/08 11:28:45 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/03/08 11:28:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/03/08 11:28:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/03/07 18:06:58 | 000,001,977 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    [2011/03/07 17:57:10 | 000,079,184 | ---- | C] () -- C:\Users\Robert\Documents\cc_20110307_165708.reg
    [2011/03/07 17:56:17 | 000,000,809 | ---- | C] () -- C:\Users\Robert\Desktop\CCleaner.lnk
    [2011/03/02 11:09:02 | 000,000,394 | -H-- | C] () -- C:\Windows\tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job
    [2011/02/27 01:33:16 | 000,001,745 | ---- | C] () -- C:\Users\Robert\Desktop\Create Your Own Video Screensaver!.lnk
    [2011/02/05 23:47:01 | 000,005,632 | ---- | C] () -- C:\Users\Robert\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/02/01 14:07:54 | 000,000,552 | ---- | C] () -- C:\Users\Robert\AppData\Local\d3d8caps.dat
    [2011/01/20 18:48:08 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
    [2011/01/20 18:48:07 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2011/01/06 17:30:14 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
    [2011/01/06 16:07:08 | 000,001,356 | ---- | C] () -- C:\Users\Robert\AppData\Local\d3d9caps.dat
    [2010/01/13 21:41:00 | 000,309,248 | ---- | C] () -- C:\Windows\System32\sqlite36_engine.dll
    [2010/01/13 21:38:00 | 000,023,552 | ---- | C] () -- C:\Windows\System32\DirectCOM.dll
    [2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2006/11/02 07:47:37 | 000,264,480 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 05:33:01 | 000,606,420 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2006/11/02 05:33:01 | 000,104,430 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/02/13 00:31:56 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\com.w3i.intune
    [2011/02/09 00:40:34 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\FreeFileViewer
    [2011/02/04 08:44:07 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Image Zone Express
    [2011/02/05 23:45:57 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\MusicNet
    [2011/02/04 08:44:07 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Printer Info Cache
    [2011/01/15 22:35:47 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\RegistryKeys
    [2011/02/23 15:16:54 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Tific
    [2011/03/08 12:27:04 | 000,000,000 | ---D | M] -- C:\Users\Robert\AppData\Roaming\Windows Live Writer
    [2011/03/14 14:29:32 | 000,000,288 | ---- | M] () -- C:\Windows\Tasks\Dr.Web Daily scan.job
    [2011/03/23 13:46:09 | 000,000,346 | ---- | M] () -- C:\Windows\Tasks\Dr.Web Update.job
    [2011/03/23 14:02:55 | 000,030,554 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
    [2011/03/23 14:09:29 | 000,000,394 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{CC3DDFB0-522C-4689-A671-5BD8A129D0D2}.job

    ========== Purity Check ==========



    < End of report >
     
    Wilber69,
    #52
  14. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How is redirection?
     
    broni,
    #53
  15. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    redirection no more! Woohooo!!!!

    Can I ask what was still effecting the computer?

    btw, thank you sir!
     
    Wilber69,
    #54
  16. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It was really well hidden sucker.
    No other tool would detect it.
    I only spotted it by looking at OTL log.

    This file was your issue:
    O4 - HKCU..\Run: [SBQM] C:\Users\Robert\AppData\Roaming\dxdiago.dll ()
    It looked very similar to legit dxdiag.dll (legit file).
    One letter off :)

    =====================================================

    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
    broni,
    #55
  17. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Robert
    ->Temp folder emptied: 36569 bytes
    ->Temporary Internet Files folder emptied: 3212289 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 5867411 bytes
    ->Flash cache emptied: 700 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 9.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: Robert
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.22.3 log created on 03232011_144618

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    Wilber69,
    #56
  18. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Whenever ready....
     
    broni,
    #57
  19. 2011/03/23
    Wilber69 Lifetime Subscription

    Wilber69 Inactive Thread Starter

    Joined:
    2007/11/20
    Messages:
    111
    Likes Received:
    0
    You had a long list... :)

    Doing well, thanks for all your time!

    Wil
     
    Wilber69,
    #58
  20. 2011/03/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)

    Good luck and stay safe :)
     
    broni,
    #59
Page 3 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...