Solved Google redirect

lynsing · 2010/06/27

[Resolved] Google redirect

I have run the dds after reading a former post. My operating system is Windows 2000 Pro. I have numerous problems in the last two weeks. Originally it started when I couldn't open Microsoft Word or PDF files and my printer did not work. The printer is fine and on another computer right now however that is the least of my problems. I kept getting pop up that CRAunc.dll could not initiate and a file in local temp would not work. In short, I ran CC Cleaner, F Prot, it found HIloti, Eldorado and quaranteened this, try Trojan Hunter no trojans found. Still I kept getting the pop up. Then I ran recovery console. Still the problem occurred. Then I ran repair with Windows 2000 Pro cd but it was not the original installation. Ran Recovery console and the sfr/scannow? The pop ups have stopped but now have Cannot load msoe.dll, tried to download numerous fixes for dll and they will not run, says hsapi.dll problem. I have transferred to Windows Outlook Email for now. I had thought since there will be no supports for Windows 2000 in short order and my browser was too old tried to download Mozilla Firefox... will not open. I need help!! I have posted as redirect because frequently when I try to go to a website I will get a redirect page first. Anyways lots of problems. Here is the DDS File and I also have the Attach file, have zipped it but need to know where I must attach it.C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wupdmgr.exe
C:\WINNT\system32\wupdmgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wupdmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\dmremote.exe
C:\WINNT\System32\dmadmin.exe
C:\WINNT\system32\DfrgNtfs.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Lynda\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.ca/
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://internetsearchservice.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: egreetings Toolbar: {9df9b682-9c18-4a01-bac3-a265ca7cd866} - mscoree.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe "
uRun: [ctfmon.exe] ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\nbj.exe "
uRun: [qaieyi] c:\documents and settings\lynda\qaieyi.exe
uRun: [Nkewewuxiqeniw] rundll32.exe "c:\winnt\CRAunc.dll ",Startup
uRun: [mcexecwin] rundll32.exe c:\docume~1\lynda\locals~1\temp\ke2lxngbk.dll, RestoreWindows
uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103472 - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; FunWebProducts; MathPlayer 2.10d; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727)" - "http://www.pearsonsuccessnet.com/snpapp/iText/products/0-328-35794-4/data/media/tutorials/tutor_sx05_idrdr022/dswmedia/simbase.htm "
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NeroFilterCheck] c:\winnt\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [THGuard] "c:\program files\trojanhunter 5.3\THGuard.exe "
mRun: [GlobeCom_Full_Client_McciTrayApp] "c:\program files\telus\telus support centre\bin\McciTrayApp.exe "
mRun: [snpstd] c:\winnt\vsnpstd.exe
dRun: [internat.exe] internat.exe
dRun: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] c:\winnt\temp\drweb.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
mExplorerRun: [start] c:\program files\web technologies\iebtm.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1.0.1.0.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276470283938
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1276470217753
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
STS: {ecc974ae-6ede-44a2-90da-93b996d8eaf8} - No File
STS: {C7BA40A1-74F2-52BD-F411-04B15A2C8953} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lynda\applic~1\mozilla\firefox\profiles\io85391o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: XULRunner: {96F6E025-7F95-4336-825F-CBE56567BAEF} - c:\documents and settings\lynda\local settings\application data\{96F6E025-7F95-4336-825F-CBE56567BAEF}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 10);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R0 FPAV_RTP;FPAV_RTP;c:\winnt\system32\drivers\FStopW.sys [2010-6-12 682840]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [2008-2-14 15172]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\astra32\astra32.sys [2007-2-22 30864]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2003-6-19 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2007-10-6 49776]
S0 hbiogn;hbiogn;c:\winnt\system32\drivers\hbiogn.sys [2010-6-4 0]
S0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2010-6-10 64288]
S1 srosa;srosa;\??\c:\documents and settings\lynda\application data\drivers\srosa.sys --> c:\documents and settings\lynda\application data\drivers\srosa.sys [?]
S2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]
S2 gupdate1c9a8cb2e4ea6b0;Google Update Service (gupdate1c9a8cb2e4ea6b0);c:\program files\google\update\GoogleUpdate.exe [2009-3-19 133104]
S3 DM9USB;ST268 USB To Fast Ethernet Adapter;c:\winnt\system32\drivers\dm9usb.sys [2009-2-20 21376]
S3 ne2000;Novell/Eagle NE2000 Adapter Driver;c:\winnt\system32\drivers\ne2000.sys [2009-2-20 16016]

=============== Created Last 30 ================

2010-06-27 17:26:14 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3e0.dat
2010-06-27 17:25:56 0 d--h--w- c:\winnt\PIF
2010-06-27 04:44:21 0 d-----w- C:\rei
2010-06-27 04:44:11 0 d-----w- c:\program files\Reimage
2010-06-27 04:10:59 1174288 ----a-w- c:\winnt\system32\msoe.dll
2010-06-27 02:31:59 86288 -c--a-w- c:\winnt\system32\dllcache\tp4mon.exe
2010-06-27 02:30:59 6736 -c--a-w- c:\winnt\system32\dllcache\serscan.sys
2010-06-27 02:29:59 56592 -c--a-w- c:\winnt\system32\dllcache\p6xx_32.dll
2010-06-27 02:28:59 42496 -c--a-w- c:\winnt\system32\dllcache\mwrcov16.exe
2010-06-27 02:27:57 8176 -c--a-w- c:\winnt\system32\dllcache\memcard.sys
2010-06-27 02:26:56 32592 -c--a-w- c:\winnt\system32\dllcache\ichaud.sys
2010-06-27 02:25:59 54032 -c--a-w- c:\winnt\system32\dllcache\eqnloop.exe
2010-06-27 02:24:59 40720 -c--a-w- c:\winnt\system32\dllcache\coadmin.dll
2010-06-27 02:23:59 64432 -c--a-w- c:\winnt\system32\dllcache\adpu160m.sys
2010-06-27 00:39:26 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2ac.dat
2010-06-25 17:38:49 12560 -c--a-w- c:\winnt\system32\dllcache\tsbyuv.dll
2010-06-25 17:38:49 12560 ----a-w- c:\winnt\system32\tsbyuv.dll
2010-06-25 17:38:47 258320 ----a-w- c:\winnt\system32\msh263.drv
2010-06-25 17:38:44 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2010-06-25 17:38:44 45840 ----a-w- c:\winnt\system32\iyuv_32.dll
2010-06-25 17:38:35 51472 -c--a-w- c:\winnt\system32\dllcache\vfwwdm32.dll
2010-06-25 17:38:35 51472 ----a-w- c:\winnt\system32\vfwwdm32.dll
2010-06-25 17:34:04 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_26c.dat
2010-06-24 18:01:15 3255 ----a-w- c:\winnt\system32\wbem\Outlook_01cb13c73cd3d9f0.mof
2010-06-22 16:06:41 0 d-----w- c:\program files\Resource Kit
2010-06-21 20:01:35 0 d---a-w- c:\docume~1\alluse~1\applic~1\MGS
2010-06-21 19:18:10 0 d---a-w- C:\Microgaming
2010-06-20 20:09:32 0 d-----w- C:\2ee63a6d2f15f2bc6933a6663abb32d1
2010-06-20 19:07:00 0 d-----w- C:\602119c08bc7fc2f3510a95ca86
2010-06-20 18:25:07 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_6fc.dat
2010-06-19 22:58:22 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_3fc.dat
2010-06-19 22:14:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_5c4.dat
2010-06-19 19:28:04 0 d-----w- c:\program files\Bonjour
2010-06-18 19:48:21 0 d---a-w- c:\program files\common files\Motive
2010-06-18 19:34:39 0 d-----w- c:\docume~1\lynda\applic~1\TELUS
2010-06-18 16:16:10 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_28c.dat
2010-06-17 23:21:39 0 d-sh--r- C:\cmdcons
2010-06-17 21:04:53 0 d-----w- c:\program files\common files\Command Software
2010-06-17 21:04:35 0 d-----w- c:\program files\common files\PestPatrol
2010-06-17 21:04:33 0 d-----w- c:\program files\TELUS
2010-06-17 20:51:15 0 d-----w- c:\docume~1\alluse~1\applic~1\TELUS
2010-06-17 20:19:41 0 d-----w- C:\1a2687b8e65ac33ffdb2d3d0865a2b64
2010-06-17 20:07:24 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_27c.dat
2010-06-16 17:00:27 24336 -c--a-w- c:\winnt\system32\dllcache\sm9232.dll
2010-06-16 16:59:50 22800 -c--a-w- c:\winnt\system32\dllcache\permchk.dll
2010-06-16 16:59:50 22800 -c--a-w- c:\winnt\system32\dllcache\OLD14A.tmp
2010-06-16 16:59:50 18704 -c--a-w- c:\winnt\system32\dllcache\rtl8029.sys
2010-06-16 16:59:50 18704 -c--a-w- c:\winnt\system32\dllcache\OLD150.tmp
2010-06-16 16:59:50 13680 -c--a-w- c:\winnt\system32\dllcache\rnbo3531.sys
2010-06-16 16:59:50 13680 -c--a-w- c:\winnt\system32\dllcache\OLD14D.tmp
2010-06-16 16:59:29 43792 -c--a-w- c:\winnt\system32\dllcache\otceth5.sys
2010-06-16 16:59:29 43792 -c--a-w- c:\winnt\system32\dllcache\OLD144.tmp
2010-06-16 16:59:29 30064 -c--a-w- c:\winnt\system32\dllcache\pca200e.sys
2010-06-16 16:59:29 30064 -c--a-w- c:\winnt\system32\dllcache\OLD147.tmp
2010-06-16 16:59:28 30992 -c--a-w- c:\winnt\system32\dllcache\OLD141.tmp
2010-06-16 16:59:28 30992 -c--a-w- c:\winnt\system32\dllcache\ngrpci.sys
2010-06-16 16:54:57 6928 -c--a-w- c:\winnt\system32\dllcache\OLD115.tmp
2010-06-16 16:53:36 91920 -c--a-w- c:\winnt\system32\dllcache\OLD45.tmp
2010-06-16 02:45:08 1934 ----a-w- c:\winnt\imsins.BAK
2010-06-15 18:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter
2010-06-15 18:50:54 0 d-----w- c:\program files\TrojanHunter 5.3
2010-06-15 04:02:52 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_294.dat
2010-06-15 00:59:09 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_280.dat
2010-06-15 00:37:40 0 d-----w- c:\docume~1\lynda\applic~1\Malwarebytes
2010-06-15 00:37:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-14 23:44:35 0 d-----w- c:\program files\Yahoo!
2010-06-14 23:44:13 0 d-----w- c:\program files\CCleaner
2010-06-14 23:31:18 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a4.dat
2010-06-14 21:59:13 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_ee4.dat
2010-06-14 02:13:19 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_148.dat
2010-06-14 00:29:16 0 d-----w- c:\winnt\Local Settings
2010-06-13 23:06:45 15064 ----a-w- c:\winnt\system32\wuapi.dll.mui
2010-06-13 23:04:47 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_41c.dat
2010-06-12 17:26:21 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_aec.dat
2010-06-12 17:14:14 0 d-----w- c:\winnt\E58B329BFB28487490DE0D7CB2709267.TMP
2010-06-12 16:56:02 0 d-----w- c:\docume~1\lynda\applic~1\FRISK Software
2010-06-12 16:20:39 682840 ----a-w- c:\winnt\system32\drivers\FStopW.sys
2010-06-12 16:19:54 0 d-----w- c:\program files\FRISK Software
2010-06-11 23:17:31 32 ----a-w- c:\winnt\system32\thxcfg.ini
2010-06-11 20:14:24 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2a0.dat
2010-06-11 16:02:49 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_404.dat
2010-06-11 05:28:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_298.dat
2010-06-11 05:12:53 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_29c.dat
2010-06-11 01:15:37 21124 ------w- c:\winnt\hpomdl07.dat.temp
2010-06-11 01:15:37 112033 ------w- c:\winnt\hpoins07.dat.temp
2010-06-11 00:26:56 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2010-06-11 00:26:03 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys
2010-06-11 00:11:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-09 04:12:23 371 ----a-w- c:\documents and settings\lynda\Video .lnk
2010-06-09 04:12:22 371 ----a-w- c:\documents and settings\lynda\Pictures .lnk
2010-06-09 04:12:22 371 ----a-w- c:\documents and settings\lynda\Passwords .lnk
2010-06-09 04:12:22 371 ----a-w- c:\documents and settings\lynda\New Folder .lnk
2010-06-09 04:12:22 371 ----a-w- c:\documents and settings\lynda\Music .lnk
2010-06-09 04:12:22 371 ----a-w- c:\documents and settings\lynda\Documents .lnk
2010-06-09 04:12:20 125 --sh--r- c:\documents and settings\lynda\autorun.inf
2010-06-04 18:35:16 0 ----a-w- c:\winnt\system32\drivers\hbiogn.sys
2010-06-04 18:34:42 80384 ----a-w- c:\documents and settings\lynda\b.exe
2010-06-04 18:34:41 240139 ----a-w- c:\documents and settings\lynda\iexplore.exe
2010-06-02 12:12:14 352513 ----a-w- c:\winnt\system32\savapi3.dll

==================== Find3M ====================

2010-06-25 00:55:44 1960 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-06-12 07:07:49 111967 ----a-w- c:\winnt\hpoins07.dat
2010-05-28 05:10:09 53248 --sh--r- c:\documents and settings\lynda\qaieyi.scr
2010-05-27 11:19:47 22528 ----a-w- c:\documents and settings\lynda\1.exe
2010-05-27 11:18:24 82944 ----a-w- c:\documents and settings\lynda\2.exe
2010-05-12 17:23:41 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_428.dat
2010-05-12 16:37:37 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_254.dat
2010-04-15 05:19:31 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_43c.dat
2009-10-07 20:35:09 19135 ----a-w- c:\program files\Heather's School Photo 2008-2009 (240 x 338).jpg
2007-10-06 22:54:55 271 ---h--w- c:\program files\desktop.ini
2007-10-06 22:54:55 21952 ---h--w- c:\program files\folder.htt
2001-05-08 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

============= FINISH: 10:28:25.44 ===============

PeteC · 2010/06/27

Welcome to WindowsBBS

Copy/Paste the contents of Attach.txt into your next post here.

lynsing · 2010/06/27

DDS (Ver_10-03-17.01)

Microsoft Windows 2000 Professional
Boot Device: \Device\Harddisk0\Partition1
Install Date:
System Uptime: 26/06/2010 10:38:20 AM (24 hours ago)

Motherboard: Intel Corporation | | D815EEA
Processor: Intel Pentium III processor | J4L1 | 930/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 5.246 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&15F50029&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&15F50029&0
Service: i8042prt

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&15F50029&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&15F50029&0
Service: i8042prt

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_2443&SUBSYS_45418086&REV_02\3&61AAA01&0&FB
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_2443&SUBSYS_45418086&REV_02\3&61AAA01&0&FB
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0000
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport
PNP Device ID: ROOT\MS_HSSDRVMP\0000
Service: HssDrv

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0001
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport #13
PNP Device ID: ROOT\MS_HSSDRVMP\0001
Service: HssDrv

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0009
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport #10
PNP Device ID: ROOT\MS_HSSDRVMP\0009
Service: HssDrv

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0011
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport #15
PNP Device ID: ROOT\MS_HSSDRVMP\0011
Service: HssDrv

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0013
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport #16
PNP Device ID: ROOT\MS_HSSDRVMP\0013
Service: HssDrv

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hotspot Shield Helper Miniport
Device ID: ROOT\MS_HSSDRVMP\0014
Manufacturer: Hotspot Shield
Name: Hotspot Shield Helper Miniport #14
PNP Device ID: ROOT\MS_HSSDRVMP\0014
Service: HssDrv

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

1500
1500_Help
1500Trb
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1.3
Adobe Shockwave Player 11
Advanced MP3/WMA Recorder
AiO_Scan
AiOSoftware
Apple Software Update
ASTRA32 - Advanced System Information Tool 1.54
Astro-Mania
ATI Win2k Display Driver
Avanquest update
Azureus Vuze
Before You Know It 3.6
Bonjour
BufferChm
Canon Camera Support Core Library
Canon Camera TWAIN Driver
Canon Camera TWAIN Driver 6.9
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Chinese Traditional Fonts Support For Adobe Reader 9
Compatibility Pack for the 2007 Office system
Conjugaison - 60 verbes 1.0
Coupon Printer for Windows
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DivX Content Uploader
DocProc
eFax Messenger 4.3
eMule
eSupportQFolder
F-PROT Antivirus for Windows
Fax
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HOT ALBUM MYBOX
Hotfix for MDAC 2.53 (KB927779)
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart Essential
HP Product Assistant
HP Product Detection
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Learn To Speak English 8.1
Macromedia Extension Manager
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8 Plugin
MailNavigator v.1.11
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 Hotfix (KB947742)
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Tool Web Package : DUREG.EXE
Microsoft Tool Web Package : OLEVIEW.EXE
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation 3.2.0
Motorola Phone Tools
Mozilla Firefox (3.6.4)
MSN Messenger 7.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Media Player
Nero OEM
NeroVision Express 2
NewCopy
NewsBin Pro
Palm Desktop
Photo Transport
ProductContext
QuickTime
Readme
RealPlayer
Recuva
Reimage Repair
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for DirectX 9 (KB941568)
Security Update for DirectX 9 (KB951698)
Security Update for Windows 2000 (KB904706)
Security Update for Windows 2000 (KB923689)
Security Update for Windows 2000 (KB941569)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Skype Toolbars
Skype™ 4.2
SmartCamera Ver 2.1
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
TELUS Security service
TELUS Support Centre (remove only)
TrayApp
TrojanHunter 5.3
Unload
Update Rollup 1 for Windows 2000 SP4
USB PC Camera (SN9C102)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs
WebReg
Windows 2000 Hotfix - KB833407
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB917008
Windows 2000 Hotfix - KB917953
Windows 2000 Hotfix - KB918118
Windows 2000 Hotfix - KB920213
Windows 2000 Hotfix - KB920670
Windows 2000 Hotfix - KB920683
Windows 2000 Hotfix - KB920685
Windows 2000 Hotfix - KB921398
Windows 2000 Hotfix - KB921503
Windows 2000 Hotfix - KB922582
Windows 2000 Hotfix - KB923191
Windows 2000 Hotfix - KB923414
Windows 2000 Hotfix - KB923810
Windows 2000 Hotfix - KB923980
Windows 2000 Hotfix - KB924270
Windows 2000 Hotfix - KB924667
Windows 2000 Hotfix - KB925902
Windows 2000 Hotfix - KB926122
Windows 2000 Hotfix - KB926436
Windows 2000 Hotfix - KB927891
Windows 2000 Hotfix - KB928843
Windows 2000 Hotfix - KB930178
Windows 2000 Hotfix - KB931784
Windows 2000 Hotfix - KB933729
Windows 2000 Hotfix - KB935839
Windows 2000 Hotfix - KB935840
Windows 2000 Hotfix - KB936021
Windows 2000 Hotfix - KB937894
Windows 2000 Hotfix - KB938127
Windows 2000 Hotfix - KB938464
Windows 2000 Hotfix - KB938827
Windows 2000 Hotfix - KB938829
Windows 2000 Hotfix - KB939653
Windows 2000 Hotfix - KB941202
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB941693
Windows 2000 Hotfix - KB942615
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944338
Windows 2000 Hotfix - KB944533
Windows 2000 Hotfix - KB945553
Windows 2000 Hotfix - KB947864
Windows 2000 Hotfix - KB948590
Windows 2000 Hotfix - KB948881
Windows 2000 Hotfix - KB950749
Windows 2000 Hotfix - KB950759
Windows 2000 Hotfix - KB950760
Windows 2000 Hotfix - KB950974
Windows 2000 Hotfix - KB951066
Windows 2000 Hotfix - KB951748
Windows 2000 Hotfix - KB952954
Windows 2000 Hotfix - KB953838
Windows 2000 Hotfix - KB953839
Windows 2000 Hotfix - KB954211
Windows 2000 Hotfix - KB956390
Windows 2000 Hotfix - KB956391
Windows 2000 Hotfix - KB957095
Windows 2000 Hotfix - KB958644
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinRAR archiver
Xvid 1.1.3 final uninstall
Yukon Gold

==== End Of File ===========================

Admin. · 2010/06/27

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

broni · 2010/06/27

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

lynsing · 2010/06/28

Tried to run Malwarebytes but to no avail. It ran for a minute and had only scanned 270 files and stopped. I cannot go into safe mode. I have tried F8 on numerous occasions throughout this process but just starts up. I tried to do the run command as stated in the help file for Malwarebytes but it said it would only scan but not remove anything unless it was registered so I did register it. It still did not work. I am writing to them to request a refund if I cannot get it to work.
Anyways, I finally just decided to go to step 2 to see if it would run. Follows is the log file of GMER:
Rootkit quick scan 2010-06-28 02:02:14
Windows 5.0.2195 Service Pack 4
Running: 59u4o8d8.exe; Driver: C:\DOCUME~1\Lynda\LOCALS~1\Temp\uwdcqfob.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FStopW.sys (FPAV - RealTime Protector/FRISK Software International)
AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International)

---- EOF - GMER 1.0.15 ----

broni · 2010/06/28

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

=============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

lynsing · 2010/06/29

Thanks Broni,
I am awaiting what next.

Here is the log file for rkillL
Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Lynda\Desktop\rkill.com

Rkill completed on 28/06/2010 at 19:52:57.

Here is the log file for Exehelper:

exeHelper by Raktor
Build 20100414
Run at 19:50:56 on 06/28/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
exeHelper by Raktor
Build 20100414
Run at 19:54:59 on 06/28/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Here is the log file for Combofix:
ComboFix 10-06-27.06 - Lynda 28/06/2010 21:31:03.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.255.123 [GMT -7:00]
Running from: c:\documents and settings\Lynda\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Lynda\LOCALS~1\Temp\1E3.tmp
c:\documents and settings\Lynda\1.exe
c:\documents and settings\Lynda\2.exe
c:\documents and settings\Lynda\Application Data\drivers\downld
c:\documents and settings\Lynda\Application Data\FunWebProducts
c:\documents and settings\Lynda\Application Data\FunWebProducts\Data\Lynda\avatar.dat
c:\documents and settings\Lynda\Application Data\FunWebProducts\Data\Lynda\outfit.dat
c:\documents and settings\Lynda\Application Data\FunWebProducts\Data\Lynda\register.dat
c:\documents and settings\Lynda\Application Data\FunWebProducts\Data\Lynda\zbucks.dat
c:\documents and settings\Lynda\Application Data\m
c:\documents and settings\Lynda\autorun.inf
c:\documents and settings\Lynda\b.exe
c:\documents and settings\Lynda\Documents .lnk
c:\documents and settings\Lynda\iexplore.exe
c:\documents and settings\Lynda\Local Settings\Application Data\{96F6E025-7F95-4336-825F-CBE56567BAEF}
c:\documents and settings\Lynda\Local Settings\Application Data\{96F6E025-7F95-4336-825F-CBE56567BAEF}\chrome.manifest
c:\documents and settings\Lynda\Local Settings\Application Data\{96F6E025-7F95-4336-825F-CBE56567BAEF}\chrome\content\_cfg.js
c:\documents and settings\Lynda\Local Settings\Application Data\{96F6E025-7F95-4336-825F-CBE56567BAEF}\chrome\content\overlay.xul
c:\documents and settings\Lynda\Local Settings\Application Data\{96F6E025-7F95-4336-825F-CBE56567BAEF}\install.rdf
c:\documents and settings\Lynda\Local Settings\Temp\1E3.tmp
c:\documents and settings\Lynda\Music .lnk
c:\documents and settings\Lynda\My Documents\My Documents.url
c:\documents and settings\Lynda\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Lynda\New Folder .lnk
c:\documents and settings\Lynda\Passwords .lnk
c:\documents and settings\Lynda\Pictures .lnk
c:\documents and settings\Lynda\qaieyi.scr
c:\documents and settings\Lynda\Recent\exeHelper.pif
c:\documents and settings\Lynda\Recent\rkill.pif
c:\documents and settings\Lynda\Video .lnk
c:\program files\Internet Explorer\msimg32.dll
c:\winnt\CRAunc.dll
c:\winnt\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\winnt\ieocx.dll
c:\winnt\iseweyif.dll
c:\winnt\system32\459849
c:\winnt\system32\459849\459849.dll
c:\winnt\system32\driVERs\hbiogn.sys
c:\winnt\system32\dumphive.exe
c:\winnt\system32\f3PSSavr.scr
c:\winnt\system32\Process.exe
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\VACFix.exe
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_SROSA
-------\Service_MyWebSearchService
-------\Service_srosa
-------\Legacy_hbiogn
-------\Service_hbiogn

((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-29 )))))))))))))))))))))))))))))))
.

2010-06-29 05:57 . 2010-06-29 05:57 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_2ac.dat
2010-06-29 03:55 . 2010-06-29 03:55 -------- d-----w- C:\32788R22FWJFW
2010-06-28 05:32 . 2010-04-29 22:39 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2010-06-28 05:32 . 2010-04-29 22:39 19288 ----a-w- c:\winnt\system32\drivers\mbam.sys
2010-06-27 23:11 . 2010-06-28 05:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-27 17:25 . 2010-06-27 17:25 -------- d--h--w- c:\winnt\PIF
2010-06-27 04:44 . 2010-06-27 04:44 -------- d-----w- C:\rei
2010-06-27 04:44 . 2010-06-27 04:44 -------- d-----w- c:\program files\Reimage
2010-06-27 04:10 . 2001-05-30 06:59 1174288 ----a-w- c:\winnt\system32\msoe.dll
2010-06-27 02:31 . 1999-12-01 06:40 86288 -c--a-w- c:\winnt\system32\dllcache\tp4mon.exe
2010-06-27 02:30 . 1999-09-25 17:36 6736 -c--a-w- c:\winnt\system32\dllcache\serscan.sys
2010-06-27 02:29 . 1999-12-01 06:39 56592 -c--a-w- c:\winnt\system32\dllcache\p6xx_32.dll
2010-06-27 02:28 . 1999-04-01 19:56 202752 -c--a-w- c:\winnt\system32\dllcache\mwremind.exe
2010-06-27 02:27 . 2003-06-19 19:05 70416 -c--a-w- c:\winnt\system32\dllcache\metadata.dll
2010-06-27 02:26 . 1999-10-22 21:54 32592 -c--a-w- c:\winnt\system32\dllcache\ichaud.sys
2010-06-27 02:25 . 1999-12-01 06:40 54032 -c--a-w- c:\winnt\system32\dllcache\eqnloop.exe
2010-06-27 02:24 . 2003-06-19 19:05 40720 -c--a-w- c:\winnt\system32\dllcache\coadmin.dll
2010-06-27 02:23 . 2003-06-19 19:05 64432 -c--a-w- c:\winnt\system32\dllcache\adpu160m.sys
2010-06-25 17:38 . 1999-12-01 06:39 12560 -c--a-w- c:\winnt\system32\dllcache\tsbyuv.dll
2010-06-25 17:38 . 1999-12-01 06:39 12560 ----a-w- c:\winnt\system32\tsbyuv.dll
2010-06-25 17:38 . 1999-12-02 22:30 258320 ----a-w- c:\winnt\system32\msh263.drv
2010-06-25 17:38 . 1999-12-01 06:39 45840 -c--a-w- c:\winnt\system32\dllcache\iyuv_32.dll
2010-06-25 17:38 . 1999-12-01 06:39 45840 ----a-w- c:\winnt\system32\iyuv_32.dll
2010-06-25 17:38 . 2003-06-19 19:05 51472 -c--a-w- c:\winnt\system32\dllcache\vfwwdm32.dll
2010-06-25 17:38 . 2003-06-19 19:05 51472 ----a-w- c:\winnt\system32\vfwwdm32.dll
2010-06-22 16:06 . 2010-06-22 16:08 -------- d-----w- c:\program files\Resource Kit
2010-06-21 20:01 . 2010-06-21 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\MGS
2010-06-21 19:18 . 2010-06-21 19:18 -------- d---a-w- C:\Microgaming
2010-06-20 20:09 . 2010-06-20 20:10 -------- d-----w- C:\2ee63a6d2f15f2bc6933a6663abb32d1
2010-06-20 19:07 . 2010-06-20 19:07 -------- d-----w- C:\602119c08bc7fc2f3510a95ca86
2010-06-19 19:37 . 2010-06-19 19:37 -------- d-----w- c:\documents and settings\Lynda\Local Settings\Application Data\Apple Computer
2010-06-19 19:37 . 2010-06-19 19:37 -------- d-----w- c:\documents and settings\Lynda\Application Data\Apple Computer
2010-06-19 19:33 . 2010-06-20 01:55 -------- d-----w- c:\program files\Safari
2010-06-19 19:28 . 2010-06-19 22:36 -------- d-----w- c:\program files\Bonjour
2010-06-19 19:26 . 2010-06-19 19:26 -------- d-----w- c:\documents and settings\Lynda\Local Settings\Application Data\Apple
2010-06-19 19:25 . 2010-06-19 19:25 -------- d-----w- c:\program files\Apple Software Update
2010-06-19 19:25 . 2010-06-19 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-06-18 20:05 . 2010-06-18 20:05 -------- d-----w- c:\documents and settings\Lynda\Application Data\Motive
2010-06-18 19:50 . 2010-06-18 19:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\Motive
2010-06-18 19:48 . 2010-06-18 19:52 -------- d---a-w- c:\program files\Common Files\Motive
2010-06-18 19:34 . 2010-06-18 19:34 -------- d-----w- c:\documents and settings\Lynda\Application Data\TELUS
2010-06-17 21:04 . 2010-06-17 21:04 -------- d-----w- c:\program files\Common Files\Command Software
2010-06-17 21:04 . 2010-06-17 21:04 -------- d-----w- c:\program files\Common Files\PestPatrol
2010-06-17 21:04 . 2010-06-18 19:54 -------- d-----w- c:\program files\TELUS
2010-06-17 20:51 . 2010-06-17 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\TELUS
2010-06-17 20:19 . 2010-06-17 20:19 -------- d-----w- C:\1a2687b8e65ac33ffdb2d3d0865a2b64
2010-06-16 17:02 . 1999-09-25 06:55 771824 -c--a-w- c:\winnt\system32\dllcache\winacisa.sys
2010-06-16 17:02 . 1999-10-12 22:57 68912 -c--a-w- c:\winnt\system32\dllcache\usbaudio.sys
2010-06-16 17:02 . 1999-10-20 21:49 28432 -c--a-w- c:\winnt\system32\dllcache\tos4mo.sys
2010-06-16 17:02 . 1999-09-25 17:34 7568 -c--a-w- c:\winnt\system32\dllcache\twotrack.sys
2010-06-16 17:02 . 1999-09-25 02:17 17712 -c--a-w- c:\winnt\system32\dllcache\tsbmce.sys
2010-06-16 17:02 . 1999-12-01 06:39 420624 -c--a-w- c:\winnt\system32\dllcache\spxports.dll
2010-06-16 17:02 . 2003-06-19 19:05 104656 -c--a-w- c:\winnt\system32\dllcache\skfpwin.sys
2010-06-16 17:02 . 1999-12-07 23:43 188688 -c--a-w- c:\winnt\system32\dllcache\sisv256.dll
2010-06-16 17:02 . 1999-12-07 23:43 179792 -c--a-w- c:\winnt\system32\dllcache\sis6306v.dll
2010-06-16 17:02 . 1999-09-28 03:02 71280 -c--a-w- c:\winnt\system32\dllcache\sis6306p.sys
2010-06-16 17:02 . 1999-12-01 06:39 28432 -c--a-w- c:\winnt\system32\dllcache\sma032.dll
2010-06-16 17:00 . 2001-05-08 12:00 24336 -c--a-w- c:\winnt\system32\dllcache\sm9232.dll
2010-06-16 17:00 . 1999-12-01 06:39 25872 -c--a-w- c:\winnt\system32\dllcache\sm9132.dll
2010-06-16 17:00 . 1999-12-01 06:39 25872 -c--a-w- c:\winnt\system32\dllcache\sm8c32.dll
2010-06-16 17:00 . 1999-12-01 06:39 23824 -c--a-w- c:\winnt\system32\dllcache\sm9032.dll
2010-06-16 17:00 . 1999-12-01 06:39 23824 -c--a-w- c:\winnt\system32\dllcache\sm8d32.dll
2010-06-16 17:00 . 1999-12-01 06:39 32016 -c--a-w- c:\winnt\system32\dllcache\sm8732.dll
2010-06-16 17:00 . 1999-12-01 06:39 23824 -c--a-w- c:\winnt\system32\dllcache\sm8a32.dll
2010-06-16 17:00 . 1999-12-01 06:39 23824 -c--a-w- c:\winnt\system32\dllcache\sm8932.dll
2010-06-16 17:00 . 1999-12-01 06:39 24848 -c--a-w- c:\winnt\system32\dllcache\sm5932.dll
2010-06-16 16:59 . 2001-05-08 12:00 22800 -c--a-w- c:\winnt\system32\dllcache\permchk.dll
2010-06-16 16:59 . 1999-09-25 17:36 13680 -c--a-w- c:\winnt\system32\dllcache\rnbo3531.sys
2010-06-16 16:59 . 1999-09-25 02:17 18704 -c--a-w- c:\winnt\system32\dllcache\rtl8029.sys
2010-06-16 16:59 . 1999-09-25 02:17 43792 -c--a-w- c:\winnt\system32\dllcache\otceth5.sys
2010-06-16 16:59 . 1999-09-25 02:17 30064 -c--a-w- c:\winnt\system32\dllcache\pca200e.sys
2010-06-16 16:59 . 1999-09-25 02:17 30992 -c--a-w- c:\winnt\system32\dllcache\ngrpci.sys
2010-06-16 16:54 . 1999-12-01 06:39 6928 -c--a-w- c:\winnt\system32\dllcache\mphase32.dll
2010-06-16 16:53 . 1999-12-07 23:43 38320 -c--a-w- c:\winnt\system32\dllcache\8514a.dll
2010-06-16 16:53 . 1999-12-01 06:38 91920 -c--a-w- c:\winnt\system32\dllcache\acq32.dll
2010-06-16 16:53 . 2003-06-19 19:05 10928 -c--a-w- c:\winnt\system32\dllcache\4mmdat.sys
2010-06-16 16:53 . 1999-11-01 23:42 801072 -c--a-w- c:\winnt\system32\dllcache\3cpciadi.sys
2010-06-16 16:53 . 1999-09-25 06:55 792176 -c--a-w- c:\winnt\system32\dllcache\3cisaadi.sys
2010-06-16 16:53 . 1999-09-25 06:55 774928 -c--a-w- c:\winnt\system32\dllcache\3cisati.sys
2010-06-16 16:53 . 2003-06-19 19:05 40752 -c--a-w- c:\winnt\system32\dllcache\1394bus.sys
2010-06-16 16:53 . 1999-10-07 22:29 22992 -c--a-w- c:\winnt\system32\dllcache\15_16wdm.sys
2010-06-16 16:53 . 1999-09-25 06:55 763024 -c--a-w- c:\winnt\system32\dllcache\3cwmcru.sys
2010-06-15 18:51 . 2010-06-15 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\TrojanHunter
2010-06-15 18:50 . 2010-06-27 21:59 -------- d-----w- c:\program files\TrojanHunter 5.3
2010-06-15 00:37 . 2010-06-15 00:37 -------- d-----w- c:\documents and settings\Lynda\Application Data\Malwarebytes
2010-06-15 00:37 . 2010-06-15 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-14 23:45 . 2010-06-14 23:45 -------- d-----w- c:\documents and settings\Lynda\Application Data\Yahoo!
2010-06-14 23:44 . 2010-06-15 18:11 -------- d-----w- c:\program files\Yahoo!
2010-06-14 23:44 . 2010-06-14 23:46 -------- d-----w- c:\program files\CCleaner
2010-06-14 00:29 . 2010-06-14 00:29 -------- d-----w- c:\winnt\Local Settings
2010-06-13 19:45 . 2010-06-13 20:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-12 17:14 . 2010-06-12 17:14 -------- d-----w- c:\winnt\E58B329BFB28487490DE0D7CB2709267.TMP
2010-06-12 16:56 . 2010-06-12 16:56 -------- d-----w- c:\documents and settings\Lynda\Application Data\FRISK Software
2010-06-12 16:20 . 2009-08-27 23:25 682840 ----a-w- c:\winnt\system32\drivers\FStopW.sys
2010-06-12 16:19 . 2010-06-12 16:19 -------- d-----w- c:\program files\FRISK Software
2010-06-11 00:26 . 2010-06-11 00:22 64288 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2010-06-11 00:26 . 2010-06-11 00:25 95024 ----a-w- c:\winnt\system32\drivers\SBREDrv.sys
2010-06-11 00:11 . 2010-06-11 00:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-11 00:11 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-02 12:12 . 2010-06-02 12:12 352513 ----a-w- c:\winnt\system32\savapi3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-29 05:51 . 2008-12-08 10:45 -------- d--h--w- c:\documents and settings\Lynda\Application Data\drivers
2010-06-28 17:41 . 2007-10-07 02:02 -------- d-----w- c:\program files\MSN Messenger
2010-06-28 16:38 . 2010-05-28 05:12 0 ----a-w- c:\winnt\Htumimeq.bin
2010-06-28 08:56 . 2008-03-09 23:24 -------- d-----w- c:\program files\MailNavigator
2010-06-28 03:39 . 2010-05-28 05:12 120 ----a-w- c:\winnt\Ujoziqefameteqar.dat
2010-06-27 23:09 . 2007-10-10 04:51 -------- d-----w- c:\documents and settings\Lynda\Application Data\NewsBin
2010-06-27 23:08 . 2007-10-08 21:24 -------- d-----w- c:\program files\eMule
2010-06-27 23:06 . 2007-10-07 02:23 -------- d-----w- c:\program files\Azureus
2010-06-25 00:55 . 2007-10-16 20:20 1960 ----a-w- c:\winnt\system32\d3d9caps.dat
2010-06-21 08:14 . 2008-01-03 22:37 -------- d-----w- c:\program files\Common Files\snpstd
2010-06-20 19:08 . 2009-03-15 05:32 -------- d-----w- c:\program files\Lavasoft
2010-06-14 23:58 . 2007-10-13 05:05 -------- d-----w- c:\documents and settings\Lynda\Application Data\Azureus
2010-06-12 07:07 . 2009-01-21 17:48 111967 ----a-w- c:\winnt\hpoins07.dat
2010-06-04 18:03 . 2008-02-14 20:45 -------- d-----w- c:\program files\HOTALBUMMyBOX
2010-06-04 17:16 . 2007-10-09 06:09 -------- d-----w- c:\documents and settings\Lynda\Application Data\Image Zone Express
2010-05-13 14:18 . 2007-10-07 02:26 -------- d-----w- c:\program files\Google
2010-05-12 18:04 . 2010-02-26 17:15 -------- d-----w- c:\documents and settings\Lynda\Application Data\Skype
2010-05-12 17:23 . 2008-09-16 03:45 -------- d-----w- c:\documents and settings\Lynda\Application Data\skypePM
2009-10-07 20:35 . 2009-10-07 20:35 19135 ----a-w- c:\program files\Heather's School Photo 2008-2009 (240 x 338).jpg
2007-10-06 22:54 . 2007-10-06 22:54 21952 ---h--w- c:\program files\folder.htt
2007-07-26 23:06 . 2007-10-13 05:00 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-10-13 05:00 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-10-13 05:00 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------

[-] 2002-11-27 02:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [ERROR: 0x0] . . c:\winnt\system32\mspmsnsv.dll

[-] 2004-07-09 12:27 . 0E51BD586D186F61A9E4453DB8AEC774 . 1703936 . . [ERROR: 0x0] . . c:\winnt\system32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{9df9b682-9c18-4a01-bac3-a265ca7cd866} "= "mscoree.dll" [2006-12-22 271360]

[HKEY_CLASSES_ROOT\clsid\{9df9b682-9c18-4a01-bac3-a265ca7cd866}]
[HKEY_CLASSES_ROOT\EGToolbar.EGToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 68856]
"NBJ "= "c:\program files\Ahead\Nero BackItUp\nbj.exe" [2006-09-15 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager "= "mobsync.exe" [2003-06-19 111376]
"NeroFilterCheck "= "c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-01-10 286720]
"MBBalloon "= "c:\program files\HOTALBUMMyBOX\MBBalloon.exe" [2007-02-09 789120]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-16 185896]
"eFax 4.3 "= "c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"THGuard "= "c:\program files\TrojanHunter 5.3\THGuard.exe" [2010-03-20 1070240]
"GlobeCom_Full_Client_McciTrayApp "= "c:\program files\TELUS\TELUS Support Centre\bin\McciTrayApp.exe" [2009-05-27 1528832]
"snpstd "= "c:\winnt\vsnpstd.exe" [2004-01-01 40960]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe "= "internat.exe" [2001-05-08 20752]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop "= "c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-8-20 629248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FPAVServer]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@= "FSFilter System Recovery "

R0 FPAV_RTP;FPAV_RTP;c:\winnt\system32\drivers\FStopW.sys [12/06/2010 9:20 AM 682840]
R0 PzWDM;PzWDM;c:\winnt\system32\drivers\PzWDM.sys [14/02/2008 1:46 PM 15172]
R2 ASTRA32;ASTRA32 Kernel Driver 5.2.1.0;c:\program files\ASTRA32\astra32.sys [22/02/2007 11:28 AM 30864]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [27/06/2010 10:32 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [27/06/2010 10:32 PM 19288]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [19/06/2003 12:05 PM 24784]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [06/10/2007 8:35 AM 49776]
S0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [10/06/2010 5:26 PM 64288]
S2 gupdate1c9a8cb2e4ea6b0;Google Update Service (gupdate1c9a8cb2e4ea6b0);c:\program files\Google\Update\GoogleUpdate.exe [19/03/2009 12:44 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; "c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 DM9USB;ST268 USB To Fast Ethernet Adapter;c:\winnt\system32\drivers\dm9usb.sys [20/02/2009 7:02 PM 21376]
S3 ne2000;Novell/Eagle NE2000 Adapter Driver;c:\winnt\system32\drivers\ne2000.sys [20/02/2009 4:33 PM 16016]
S4 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe [27/08/2009 4:26 PM 75424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2010-06-01 c:\winnt\Tasks\Backup.job
- c:\winnt\system32\ntbackup.exe [2003-06-19 19:05]

2010-06-29 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:44]

2010-06-29 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-19 19:44]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.ca/
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: CabBuilder - hxxp://www.imgag.com/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Lynda\Application Data\Mozilla\Firefox\Profiles\io85391o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-qaieyi - c:\documents and settings\Lynda\qaieyi.exe
HKCU-Run-Nkewewuxiqeniw - c:\winnt\CRAunc.dll
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
HKLM-Run-Qlozowaqifihufeh - c:\winnt\iseweyif.dll
SharedTaskScheduler-{ecc974ae-6ede-44a2-90da-93b996d8eaf8} - (no file)
SafeBoot-SRService

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-29 01:37
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0xFFABC78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xed022ac3
\Driver\ACPI -> ACPI.sys @ 0xbffde554
\Driver\atapi -> ntoskrnl.exe @ 0x804d3c94
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x804ba696
ParseProcedure -> ntoskrnl.exe @ 0x8049c41b
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x804ba696
ParseProcedure -> ntoskrnl.exe @ 0x8049c41b

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-842925246-1343024091-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8593F352-608B-7BFB-82A0-0F4F572D13D6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oakgbfagfodpbopkgljleebehnjocb "=hex:69,61,6f,6e,65,70,70,6f,64,65,6b,6a,6d,6f,
61,70,70,63,00,00
"naaghdpjedpaepnlohbeebkhgjff "=hex:6a,61,70,6e,62,6f,62,6c,63,68,65,6f,66,69,
6a,65,6b,6d,68,6a,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINNT\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(216)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1560)
c:\winnt\AppPatch\AcLayers.DLL
c:\winnt\system32\MSI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\hidserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\winnt\system32\regsvc.exe
c:\winnt\system32\MSTask.exe
c:\winnt\System32\WBEM\WinMgmt.exe
c:\winnt\system32\mspmspsv.exe
c:\winnt\system32\stisvc.exe
.
**************************************************************************
.
Completion time: 2010-06-29 01:48:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-29 08:48

Pre-Run: 6,193,512,448 bytes free
Post-Run: 6,774,714,368 bytes free

- - End Of File - - 1BDA35B13B2C535335802A5BB75A078E

broni · 2010/06/29

Please, attempt to run Malwarebytes again. Make sure to update it first.

lynsing · 2010/06/29

Well things seem to be running fairly well up until I tried to get on this site everything seems to be moving at a snail's pace now. I still cannot get into Outlook Express. The Msoe.dll will not load. Ran Malwarebytes after update and removed as directed. Here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4259

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

29/06/2010 7:42:33 PM
mbam-log-2010-06-29 (19-42-33).txt

Scan type: Quick scan
Objects scanned: 103289
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 49
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.Google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com) Good: (http://www.Google.com/) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lynda\Desktop\qaieyi.exe (Worm.Autorun) -> No action taken.

broni · 2010/06/29

MBAM log says "No action taken" after each line.
Please, re-do and make sure, you fix all issues this time around.

lynsing · 2010/06/29

OOps, My apologies. I guess this program did create a log before.
This is the log after cleaning. Excuse me

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4259

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

29/06/2010 7:42:59 PM
mbam-log-2010-06-29 (19-42-59).txt

Scan type: Quick scan
Objects scanned: 103289
Time elapsed: 11 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 49
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\(default) (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.SearchPage) -> Bad: (http://internetsearchservice.com) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Lynda\Desktop\qaieyi.exe (Worm.Autorun) -> Quarantined and deleted successfully.

broni · 2010/06/30

Please, delete your GMER file, download new one and post fresh log.

lynsing · 2010/06/30

New Gmer Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-30 14:24:29
Windows 5.0.2195 Service Pack 4
Running: gmer.exe; Driver: C:\DOCUME~1\Lynda\LOCALS~1\Temp\uwdcqfob.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xED03087E] <-- ROOTKIT !!!
SSDT \??\C:\WINNT\system32\drivers\mbam.sys (Malwarebytes' Anti-Malware/Malwarebytes Corporation) ZwCreateSection [0xBC6DC010] <-- ROOTKIT !!!
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xED030BFE] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINNT\system32\drivers\PzWDM.sys entry point in "init" section [0xED41830E]

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE[620] ole32.dll!OleLoadFromStream 7CE60C22 6 Bytes JMP 30F8D300 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[1292] ole32.dll!OleLoadFromStream 7CE60C22 6 Bytes JMP 30F8D300 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\WININET.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FStopW.sys (FPAV - RealTime Protector/FRISK Software International)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat FStopW.sys (FPAV - RealTime Protector/FRISK Software International)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8593F352-608B-7BFB-82A0-0F4F572D13D6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8593F352-608B-7BFB-82A0-0F4F572D13D6}@oakgbfagfodpbopkgljleebehnjocb 0x69 0x61 0x6F 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8593F352-608B-7BFB-82A0-0F4F572D13D6}@naaghdpjedpaepnlohbeebkhgjff 0x6A 0x61 0x70 0x6E ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

broni · 2010/06/30

Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

lynsing · 2010/06/30

18:06:26:490 1328 TDSS rootkit removing tool 2.3.2.1 Jun 30 2010 09:28:26
18:06:26:490 1328 ================================================================================
18:06:26:490 1328 SystemInfo:

18:06:26:490 1328 OS Version: 5.0.2195 ServicePack: 4.0
18:06:26:490 1328 Product type: Workstation
18:06:26:490 1328 ComputerName: LYNDA-4F4C00F7A
18:06:26:490 1328 UserName: Lynda
18:06:26:490 1328 Windows directory: C:\WINNT
18:06:26:490 1328 System windows directory: C:\WINNT
18:06:26:490 1328 Processor architecture: Intel x86
18:06:26:490 1328 Number of processors: 1
18:06:26:490 1328 Page size: 0x1000
18:06:26:490 1328 Boot type: Normal boot
18:06:26:490 1328 ================================================================================
18:06:26:730 1328 RegExUnlockDeleteW: RegCreateKeyExW(System\CurrentControlSet\Control\SafeBoot\Minimal\klmd23.sys) error 2
18:06:26:730 1328 RegExUnlockDeleteW: RegCreateKeyExW(System\CurrentControlSet\Control\SafeBoot\Network\klmd23.sys) error 2
18:06:27:732 1328 Initialize success
18:06:27:732 1328
18:06:27:732 1328 Scanning Services ...
18:06:29:094 1328 Raw services enum returned 292 services
18:06:29:104 1328
18:06:29:104 1328 Scanning Drivers ...
18:06:31:467 1328 ACPI (083049d5dc3f32d17c2edfb732c78a09) C:\WINNT\system32\DRIVERS\ACPI.sys
18:06:31:717 1328 ACPIEC (4b10b4db777ee2ef8e755e7f3d7c4fe8) C:\WINNT\system32\drivers\ACPIEC.sys
18:06:32:158 1328 AFD (632d753e9f103ebd30b18ce9f03596ab) C:\WINNT\System32\drivers\afd.sys
18:06:34:612 1328 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINNT\system32\drivers\aspi32.sys
18:06:34:692 1328 ASTRA32 (5fc1fed39ed5d3f71c7d2fc16a49e2a2) C:\Program Files\ASTRA32\ASTRA32.sys
18:06:34:922 1328 AsyncMac (5d3d77c9eb3a8e6a14cc8e1252b6cc5c) C:\WINNT\system32\DRIVERS\asyncmac.sys
18:06:35:142 1328 atapi (8c718aa8c77041b3285d55a0ce980867) C:\WINNT\system32\DRIVERS\atapi.sys
18:06:35:613 1328 ati2mtaa (eec9c6ce66cee1f35fd220f5147e8c2d) C:\WINNT\system32\DRIVERS\ati2mtaa.sys
18:06:35:873 1328 Atmarpc (3e348b3313ea633d45caf59da0d631ba) C:\WINNT\system32\DRIVERS\atmarpc.sys
18:06:36:094 1328 audstub (39d57104a45270f0d376e9ddb484ebbd) C:\WINNT\system32\DRIVERS\audstub.sys
18:06:36:324 1328 Beep (df012c2853281ce2bf536e8de871c8c1) C:\WINNT\system32\drivers\Beep.sys
18:06:37:035 1328 CCDECODE (1478e6a09512235b9e119d2920477021) C:\WINNT\system32\DRIVERS\CCDECODE.sys
18:06:37:476 1328 Cdaudio (b101e013d810d6125e17125e324fcd2c) C:\WINNT\system32\drivers\Cdaudio.sys
18:06:37:726 1328 Cdfs (66c19373d5eb657fb028133bde5d2acb) C:\WINNT\system32\drivers\Cdfs.sys
18:06:37:956 1328 Cdr4_2K (9880f86f4261699273f818ae50216b8c) C:\WINNT\system32\drivers\Cdr4_2K.sys
18:06:38:187 1328 Cdralw2k (300500fb3ef21374f7194f9f42b130bc) C:\WINNT\system32\drivers\Cdralw2k.sys
18:06:38:407 1328 Cdrom (4b86a90a7f0095d514d22a9083826488) C:\WINNT\system32\DRIVERS\cdrom.sys
18:06:40:150 1328 Disk (322b9a3774dbf119f6635a476b0eb058) C:\WINNT\system32\DRIVERS\disk.sys
18:06:40:390 1328 Diskperf (fd94497dd145b3920f5c393eab50ee3a) C:\WINNT\system32\drivers\Diskperf.sys
18:06:40:630 1328 DM9USB (8842b0c5a5a24164f69b1a5ede4c2519) C:\WINNT\system32\DRIVERS\dm9usb.sys
18:06:40:901 1328 dmboot (0b91c63540682bc3c826fc6d8b3ecb7b) C:\WINNT\system32\drivers\dmboot.sys
18:06:41:181 1328 dmio (6b35bfdbdbc247113852f18bf0f10e3c) C:\WINNT\system32\drivers\dmio.sys
18:06:41:421 1328 dmload (3f1701ffa97ab012685abc8a2d6fce22) C:\WINNT\system32\drivers\dmload.sys
18:06:41:662 1328 DMusic (3431984234b5988d4c09f043cf4cd779) C:\WINNT\system32\drivers\DMusic.sys
18:06:41:892 1328 EFS (b2916926428c0410fc1a26da0b650e41) C:\WINNT\system32\drivers\EFS.sys
18:06:42:142 1328 es1371 (6766378af10e8b901befe5939dac6f9a) C:\WINNT\system32\drivers\es1371mp.sys
18:06:42:393 1328 Fastfat (533478c99ca81fd700bcf6a2754ce793) C:\WINNT\system32\drivers\Fastfat.sys
18:06:42:843 1328 Fdc (233e2c4dae9c84cef241f0ea30619629) C:\WINNT\system32\DRIVERS\fdc.sys
18:06:43:084 1328 Fips (b27a36d4725a362a13d0c52ad6c7175b) C:\WINNT\system32\drivers\Fips.sys
18:06:43:755 1328 Flpydisk (6ca845333da54f27a8657be7ee0b600d) C:\WINNT\system32\DRIVERS\flpydisk.sys
18:06:43:995 1328 FltMgr (f574c40cd0db393c361363cc21592f4a) C:\WINNT\system32\drivers\fltmgr.sys
18:06:44:316 1328 FPAV_RTP (ba50532419b00de2e99b8913a5abf3f6) C:\WINNT\system32\DRIVERS\FStopW.sys
18:06:44:636 1328 Freedom (a7e22a231de27fd315135e5d172689fd) C:\WINNT\system32\DRIVERS\FREEDOM.SYS
18:06:44:886 1328 Fs_Rec (405f231ad65c03dac70992a2aba759a5) C:\WINNT\system32\drivers\Fs_Rec.sys
18:06:45:127 1328 Ftdisk (c757a3eefa44ea2d562424a4060329a6) C:\WINNT\system32\DRIVERS\ftdisk.sys
18:06:45:447 1328 Gpc (6667d07854a3ae7715d22b82761cf0e7) C:\WINNT\system32\DRIVERS\msgpc.sys
18:06:45:708 1328 HidUsb (ff2ca3c8d0193800e4fa510ffde0960e) C:\WINNT\system32\DRIVERS\hidusb.sys
18:06:45:938 1328 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINNT\system32\DRIVERS\HPZid412.sys
18:06:46:188 1328 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINNT\system32\DRIVERS\HPZipr12.sys
18:06:46:429 1328 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINNT\system32\DRIVERS\HPZius12.sys
18:06:46:679 1328 i8042prt (3b538e8a6b5e078406159edfe09a5e53) C:\WINNT\system32\DRIVERS\i8042prt.sys
18:06:47:150 1328 IntelIde (2c764febd7197e3331556fe215add934) C:\WINNT\system32\DRIVERS\intelide.sys
18:06:47:390 1328 IpFilterDriver (09a604211e2b2334fc023a41337e3165) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
18:06:47:640 1328 IpInIp (dbc1437b56eea1af02cd39c011904491) C:\WINNT\system32\DRIVERS\ipinip.sys
18:06:47:901 1328 IpNat (adb8a3465c0fc01c3ae633adb33fcbb3) C:\WINNT\system32\DRIVERS\ipnat.sys
18:06:48:161 1328 IPSEC (9d61c8e8044bdaac6d922eb27552f93a) C:\WINNT\system32\DRIVERS\ipsec.sys
18:06:48:612 1328 IRENUM (7f5315e32be0632f680b30e03a2ca809) C:\WINNT\system32\DRIVERS\irenum.sys
18:06:48:872 1328 isapnp (b630369ca276fd208c1b5146920b5f2e) C:\WINNT\system32\DRIVERS\isapnp.sys
18:06:49:132 1328 Kbdclass (399055f5c4a98f39b47d26888a72145d) C:\WINNT\system32\DRIVERS\kbdclass.sys
18:06:49:413 1328 kbdhid (5afd9413400ffb2b57e9be900a12b160) C:\WINNT\system32\DRIVERS\kbdhid.sys
18:06:49:653 1328 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINNT\system32\drivers\klmd.sys
18:06:49:894 1328 kmixer (8e198ec9e823aa42edf45b07efe395ac) C:\WINNT\system32\drivers\kmixer.sys
18:06:50:144 1328 KSecDD (80ffb99dcb8e6ab8a01be04fcb0b0758) C:\WINNT\system32\drivers\KSecDD.sys
18:06:50:404 1328 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINNT\system32\DRIVERS\Lbd.sys
18:06:51:135 1328 MBAMProtector (a1cd8eec777f05de505b76bb96709498) C:\WINNT\system32\drivers\mbam.sys
18:06:51:386 1328 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINNT\system32\DRIVERS\mdc8021x.sys
18:06:51:636 1328 mnmdd (f9a1ccc84d1c8b392d67bf2e661ed334) C:\WINNT\system32\drivers\mnmdd.sys
18:06:51:886 1328 Modem (37478d40030b15ca3860509d4f5d39d8) C:\WINNT\system32\drivers\Modem.sys
18:06:52:147 1328 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINNT\system32\DRIVERS\motmodem.sys
18:06:52:838 1328 Mouclass (8d038dde3f19b88427968e99a6216766) C:\WINNT\system32\DRIVERS\mouclass.sys
18:06:53:779 1328 mouhid (80d48f52414f7798432a4764beccbcec) C:\WINNT\system32\DRIVERS\mouhid.sys
18:06:54:340 1328 MountMgr (75e57b9f5c36137ea79466c3b63c38cc) C:\WINNT\system32\drivers\MountMgr.sys
18:06:55:221 1328 MPE (83eff7b976ae24f1a496ca94a8a19919) C:\WINNT\system32\DRIVERS\MPE.sys
18:06:56:183 1328 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
18:06:56:974 1328 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
18:06:57:444 1328 MRxSmb (fc5a904bc78d43f2f7f014bd0d239c6d) C:\WINNT\system32\DRIVERS\mrxsmb.sys
18:06:57:785 1328 Msfs (8840bc3953d2c0bbb104932cab848a27) C:\WINNT\system32\drivers\Msfs.sys
18:06:58:035 1328 MSKSSRV (883385dc3eca3cf7c2d7efcf644ca5ae) C:\WINNT\system32\drivers\MSKSSRV.sys
18:06:58:296 1328 MSPCLOCK (4d0e25cb6bfd5bedd546501faf69b3f7) C:\WINNT\system32\drivers\MSPCLOCK.sys
18:06:58:546 1328 MSPQM (bb041315c9930063e5eab0bee90acff6) C:\WINNT\system32\drivers\MSPQM.sys
18:06:58:786 1328 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINNT\system32\drivers\MSTEE.sys
18:06:59:027 1328 Mup (84d27503181b716a222299e59cd1259a) C:\WINNT\system32\drivers\Mup.sys
18:06:59:267 1328 NABTSFEC (bb1c45d114b6dab0babf6b2fb0336db2) C:\WINNT\system32\DRIVERS\NABTSFEC.sys
18:07:00:048 1328 Nbf (c833146f3758b29ccf100fc32dad6fc4) C:\WINNT\system32\DRIVERS\nbf.sys
18:07:00:529 1328 NDIS (fb4f2d0595bd3546a4dd915e4a9b4809) C:\WINNT\system32\drivers\NDIS.sys
18:07:00:789 1328 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINNT\system32\DRIVERS\NdisIP.sys
18:07:01:030 1328 NdisTapi (e6f675c75c53887c58b98d6db356b153) C:\WINNT\system32\DRIVERS\ndistapi.sys
18:07:01:370 1328 Ndisuio (69ecae880bdac3c288f0508df9cdeef0) C:\WINNT\system32\DRIVERS\ndisuio.sys
18:07:01:620 1328 NdisWan (b86a37aa73868343a9eee148fdfce1e0) C:\WINNT\system32\DRIVERS\ndiswan.sys
18:07:01:861 1328 NDProxy (1f426863d87bdf75aec76584223cd0c7) C:\WINNT\system32\drivers\NDProxy.sys
18:07:02:111 1328 ne2000 (c48551146b38a960d4e3bb873ccb0ac0) C:\WINNT\system32\DRIVERS\ne2000.sys
18:07:02:371 1328 NetBIOS (5151e6020a26bf7bc21c18fd612506bd) C:\WINNT\system32\DRIVERS\netbios.sys
18:07:02:632 1328 NetBT (a7ca87628217bbf4a6f501db65b19e9d) C:\WINNT\system32\DRIVERS\netbt.sys
18:07:03:153 1328 NetDetect (9b2a6147a22f7e696cc7538283de6346) C:\WINNT\system32\drivers\netdtect.sys
18:07:03:633 1328 Npfs (e85a77dfcb8f1088f85120ca123ce191) C:\WINNT\system32\drivers\Npfs.sys
18:07:04:154 1328 Ntfs (7dc1f0f9bf87ca5cee9a46c9a63dc1d3) C:\WINNT\system32\drivers\Ntfs.sys
18:07:04:665 1328 Null (280209cde798720a24d232bf9cfda8e9) C:\WINNT\system32\drivers\Null.sys
18:07:04:935 1328 NwlnkFlt (9b0d6fb5c5d6a7571aedb0c1a7a9c1b6) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
18:07:05:196 1328 NwlnkFwd (09fa39e4812fdd042834650df09675a0) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
18:07:05:536 1328 NwlnkIpx (f157c86b9f6039e08112b8924ff5d548) C:\WINNT\system32\DRIVERS\nwlnkipx.sys
18:07:05:796 1328 NwlnkNb (746d4aea42a96942b8309bf16ae589d2) C:\WINNT\system32\DRIVERS\nwlnknb.sys
18:07:06:057 1328 NwlnkSpx (b62a4c474ee334f2861df2c12c6e154f) C:\WINNT\system32\DRIVERS\nwlnkspx.sys
18:07:06:287 1328 openhci (3eb4141801e4c71eb766faf73e870dc3) C:\WINNT\system32\DRIVERS\openhci.sys
18:07:06:758 1328 Parallel (ea27799907eabdb66d2d56af68cd4f06) C:\WINNT\system32\DRIVERS\parallel.sys
18:07:07:479 1328 Parport (69b713583d6e063ac487e2da30c04289) C:\WINNT\system32\DRIVERS\parport.sys
18:07:07:769 1328 PartMgr (f9e922dbe9f3719ce8376cc7ed18cb8d) C:\WINNT\system32\drivers\PartMgr.sys
18:07:08:020 1328 ParVdm (888f6a6ad5810f5828de594e17fe8f3b) C:\WINNT\system32\drivers\ParVdm.sys
18:07:08:270 1328 PCI (f0791b1f424f8d84a81d9ae6cfadf089) C:\WINNT\system32\DRIVERS\pci.sys
18:07:09:191 1328 PCIIde (7d0bcb325d29d15024d6a572044e410b) C:\WINNT\system32\drivers\PCIIde.sys
18:07:09:812 1328 Pcmcia (b737c89d439b771d92d7c5e8b8d3917c) C:\WINNT\system32\drivers\Pcmcia.sys
18:07:10:173 1328 PptpMiniport (0e0212bbbf15800f1536cbfa157dddd6) C:\WINNT\system32\DRIVERS\raspptp.sys
18:07:10:433 1328 PSched (7cb5efdfc5d8db9067ade522d1422b10) C:\WINNT\system32\DRIVERS\psched.sys
18:07:10:673 1328 Ptilink (b78775f217255f786c2e8dbe4334e413) C:\WINNT\system32\DRIVERS\ptilink.sys
18:07:10:954 1328 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINNT\system32\Drivers\PzWDM.sys
18:07:12:226 1328 RasAcd (63051b814e005dc62c7a0971668c52b4) C:\WINNT\system32\DRIVERS\rasacd.sys
18:07:12:516 1328 Rasl2tp (ec6037c594f20adedea65f0d809493d2) C:\WINNT\system32\DRIVERS\rasl2tp.sys
18:07:12:766 1328 Raspti (cb09a98e97e52c389ab17b1e003c9566) C:\WINNT\system32\DRIVERS\raspti.sys
18:07:13:067 1328 RCA (afce1f733a6aa3a90ac60794dfb26104) C:\WINNT\system32\drivers\RCA.sys
18:07:13:758 1328 Rdbss (9218c2c9af3888fa2e808809b084b0df) C:\WINNT\system32\DRIVERS\rdbss.sys
18:07:14:739 1328 redbook (b5120cb5081865b0c7d93c305c7da939) C:\WINNT\system32\DRIVERS\redbook.sys
18:07:15:010 1328 rtl8139 (5b69b0212d4da72f1627c354277138b3) C:\WINNT\system32\DRIVERS\RTL8139.SYS
18:07:15:420 1328 serenum (6db5fdf67486679da3149ef212374861) C:\WINNT\system32\DRIVERS\serenum.sys
18:07:15:691 1328 Serial (80f28698f48e298d278057f23206133b) C:\WINNT\system32\DRIVERS\serial.sys
18:07:15:941 1328 Sfloppy (96b8aae4f799e81a23aeda935e14f768) C:\WINNT\system32\drivers\Sfloppy.sys
18:07:16:652 1328 SLIP (92723fbdd30771c293fe5ed266a31ca6) C:\WINNT\system32\DRIVERS\SLIP.sys
18:07:16:912 1328 snpstd (7452187a8f1ac46ce4f21be616e8d5f3) C:\WINNT\system32\DRIVERS\snpstd.sys
18:07:17:834 1328 Srv (a908898f3fa95fd561c442dfc013f5a2) C:\WINNT\system32\DRIVERS\srv.sys
18:07:18:144 1328 streamip (4544fd0db39cb7b385a5392c068162cd) C:\WINNT\system32\DRIVERS\StreamIP.sys
18:07:18:605 1328 swenum (a151f2d55ebf635550709c48fce564aa) C:\WINNT\system32\DRIVERS\swenum.sys
18:07:19:456 1328 swmidi (8c7cd06d097a59391d94b59715fca67c) C:\WINNT\system32\drivers\swmidi.sys
18:07:22:030 1328 sysaudio (6c14d96f8c1ba929fad4ba40a29217fa) C:\WINNT\system32\drivers\sysaudio.sys
18:07:23:071 1328 tapvpn (27a2c318cd28cfb3eb2200fd96af1e58) C:\WINNT\system32\DRIVERS\tapvpn.sys
18:07:23:782 1328 Tcpip (02fae418bd28e185a4909e5869497de5) C:\WINNT\system32\DRIVERS\tcpip.sys
18:07:25:214 1328 Udfs (1151500efb8759a69c3a0bb1f274138c) C:\WINNT\system32\drivers\Udfs.sys
18:07:25:485 1328 uhcd (376fb5e14b9d375db3536ba563eae97a) C:\WINNT\system32\DRIVERS\uhcd.sys
18:07:26:526 1328 Update (7a77f319935328cf30945fe0f3c69c9a) C:\WINNT\system32\DRIVERS\update.sys
18:07:26:877 1328 usbehci (86c71ce544358d3227206a894ae04443) C:\WINNT\system32\DRIVERS\usbehci.sys
18:07:27:217 1328 usbhub (5c202078f5d500786a1f3279fac3aa64) C:\WINNT\system32\DRIVERS\usbhub.sys
18:07:27:678 1328 usbhub20 (b0205d19ba25ca654810d0aed04496a8) C:\WINNT\system32\DRIVERS\usbhub20.sys
18:07:28:639 1328 usbprint (e0e4367f5eff9e84fafeeba6ab937fd8) C:\WINNT\system32\DRIVERS\usbprint.sys
18:07:28:950 1328 usbscan (6c0a98c98b84eee9e3fb1cf86b6250b8) C:\WINNT\system32\DRIVERS\usbscan.sys
18:07:30:031 1328 usbsermpt (caad3467fbfae8a380f67e9c7150a85e) C:\WINNT\system32\DRIVERS\usbsermpt.sys
18:07:30:692 1328 USBSTOR (13eba8a2da3447fe7f217e34210ac554) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
18:07:31:143 1328 VgaSave (1b0040415ba34497a8d76a553aee88aa) C:\WINNT\System32\drivers\vga.sys
18:07:31:774 1328 Wanarp (aa8c76dfc4afa72f09fdbc6621b7d38d) C:\WINNT\system32\DRIVERS\wanarp.sys
18:07:32:224 1328 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINNT\system32\DRIVERS\Wdf01000.sys
18:07:32:695 1328 wdmaud (997d25513bc89614417829b5bec7c75c) C:\WINNT\system32\drivers\wdmaud.sys
18:07:32:996 1328 WSTCODEC (04aca6442e639a794293828e8dda7a44) C:\WINNT\system32\DRIVERS\WSTCODEC.SYS
18:07:33:046 1328
18:07:33:046 1328 Completed
18:07:33:046 1328
18:07:33:046 1328 Results:
18:07:33:046 1328 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:07:33:046 1328 File objects infected / cured / cured on reboot: 0 / 0 / 0
18:07:33:046 1328
18:07:33:136 1328 KLMD(ARK) unloaded successfully

broni · 2010/06/30

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator ").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

lynsing · 2010/06/30

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully

broni · 2010/06/30

Is redirection still present?

lynsing · 2010/06/30

No redirection is no longer present. Thank you very much. My computer is behaving much better minus the Outlook Express problem. Do I need to post to another Thread with regards to Outlook Express not opening.

Log in or Sign up

Solved Google redirect

lynsing Inactive Thread Starter

PeteC SuperGeek Staff

lynsing Inactive Thread Starter

Admin. Administrator Administrator Staff

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Google redirect

lynsing Inactive Thread Starter

PeteC SuperGeek Staff

lynsing Inactive Thread Starter

Admin. Administrator Administrator Staff

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

broni Moderator Malware Analyst

lynsing Inactive Thread Starter

Share This Page

Useful Searches