[clair101]

Hi .. I could really do with some help.. when I do a search, and click on a link I get redirected to another search engine giving me alternative options for the link that I had already found and clicked on.. I am also having a problem where some sights I go on just close down when I move pages and this is a site that I have been using for months and never had this problem...

I downloaded norton antivirus about 3 days ago because I was getting an error message saying "windows internet explorer could not find a link, make sure internet path or address is correct" (but the link was random symbols that I couldnt type if I tried) but if I pressed ok or the red x close button it would just open up a fresh google page and nothing else .. but this message popped up everytime I clicked on anything... norton didnt stop this so I used malwarebytes and this fixed this problem... but then I was still being redirected ...

I then used spybot- sd resident search and distroy to try to fix the redirecting and thats as how I ended up in this situation.... still being redirected and sites closing down

Sorry there is no report from routkit scanner .. I tried to run this 3 times but my computer automatically shut down each time ..

Im using windows vista and my laptop is about a year and a half old .. and I dont have immediate access to a windows install disk or a boot cd (if that helps?)



DDS (Ver_09-12-01.01) - NTFSx86
Run by cm at 18:50:05.49 on 10/12/2009
Internet Explorer: 7.0.6000.16830
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.765 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\cm\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Common Files\HP\Digital Imaging\Bin\hpqPhotoCrm.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\cm\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9F6C747001C9CB5A01848BC2&install_time=02-05-2009:20:17&src_id=11029&camp_id=295&tb_version=2.4.2.399
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.19\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\users\cm\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [SiSTray] %ProgramFiles%\SiS VGA Utilities\SiSTray.exe
mRun: [TouchPadHotKey] c:\program files\fsc\touchpad hotkey utility\TouchPad_HotKey.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\SymDS.sys [2009-12-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\SymEFA.sys [2009-12-2 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20091104.001\BHDrvx86.sys [2009-11-4 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys [2009-12-2 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-12-2 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.013\Ironx86.sys [2009-12-2 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1101000.013\symtdiv.sys [2009-12-2 339504]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.19\ccSvcHst.exe [2009-12-2 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-9 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-2 102448]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2007-12-6 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-9-9 48128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

=============== Created Last 30 ================

2009-12-09 20:37:49 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 20:37:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 15:11:33 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-07 13:07:16 0 d-----w- c:\programdata\XoftSpySE
2009-12-07 12:58:42 0 d-----w- c:\program files\WinClear
2009-12-07 12:53:20 0 d-----w- c:\users\cm\appdata\roaming\Uniblue
2009-12-04 14:51:34 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-12-02 20:44:35 0 d-sh--w- c:\users\cm\appdata\roaming\lowsec
2009-12-02 16:32:41 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-02 16:32:41 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-02 16:32:41 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-02 16:32:38 0 d-----w- c:\program files\Symantec
2009-12-02 16:32:38 0 d-----w- c:\program files\common files\Symantec Shared
2009-12-02 16:31:58 0 d-----w- c:\windows\system32\drivers\NAV
2009-12-02 16:31:54 0 d-----w- c:\program files\Norton AntiVirus
2009-12-02 16:31:53 0 d-----w- c:\programdata\Norton
2009-12-02 16:31:47 0 d-----w- c:\programdata\NortonInstaller
2009-12-02 16:31:46 0 d-----w- c:\program files\NortonInstaller
2009-12-01 12:20:14 0 d-----w- c:\program files\common files\xing shared
2009-11-22 00:42:38 0 d-----w- c:\programdata\Real
2009-11-20 15:34:50 0 d-----w- c:\programdata\Azureus
2009-11-20 15:34:24 0 d-----w- c:\users\cm\appdata\roaming\Azureus
2009-11-17 21:56:55 0 d-----w- c:\users\cm\Tracing
2009-11-17 21:35:22 0 d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 21:01:26 0 d-----w- c:\program files\common files\Windows Live
2009-11-15 15:56:38 0 d-----w- c:\programdata\WEBREG
2009-11-15 15:52:43 0 d-----w- c:\programdata\HP Product Assistant
2009-11-15 15:50:31 0 d-----w- c:\program files\common files\HP
2009-11-15 15:49:43 0 d-----w- c:\program files\common files\Hewlett-Packard
2009-11-15 15:45:58 0 d-----w- c:\program files\HP
2009-11-15 15:41:51 452408 ----a-w- c:\windows\system32\hpzids01.dll
2009-11-15 15:41:38 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2009-11-15 15:39:14 712704 ----a-w- c:\windows\system32\hposwia_d02c.dll
2009-11-15 15:39:14 589824 ----a-w- c:\windows\system32\hpost_d02c.dll
2009-11-15 15:39:14 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-11-15 15:39:14 315392 ----a-w- c:\windows\system32\hposc_d02a.dll
2009-11-15 15:39:14 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-11-15 15:25:34 586 ------w- c:\windows\hpomdl44.dat
2009-11-15 15:25:34 162852 ----a-w- c:\windows\hpoins44.dat
2009-11-15 15:25:08 0 d-----w- c:\programdata\HP
2009-11-13 21:38:32 0 d-----w- c:\program files\iPod
2009-11-13 21:38:20 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-12-09 12:33:38 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-09 12:33:38 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-09 12:33:37 86016 ----a-w- c:\windows\inf\infstrng.dat
2008-12-11 03:14:53 174 --sha-w- c:\program files\desktop.ini
2008-06-12 02:09:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-02-05 19:24:40 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:51:43.62 ===============

 

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Your hard drive is almost full.

C: is FIXED (NTFS) - 110 GiB total, 13.539 GiB free.

Having too little free space on your hard drive can compromise system performance. I suggest you move pictures, music, etc. to an external drive or USB stick if you have one and uninstall any programs that are never or hardly ever used.

------------------------------------------------------

Delete your existing copy of gmer. Please run this special version of gmer:

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php and Save it to your Desktop.

• Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

If you still have trouble, try running gmer again and this time also uncheck Devices

------------------------------------------------------

 

[clair101]

Hi .. I Hope that I have done what you asked correctly ?? (had a friend helping me 1st time around).. I have deleted a load of stuff off my hard drive so have a bot more room .. gonna get a bigger external hard drive as well to move some stuff on to .. .

I have copy and pasted the ino from the Gmer.text file that I saved below.


GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 23:19:35
Windows 6.0.6000
Running: 2tsvx0vz.exe; Driver: C:\Users\cm\AppData\Local\Temp\pgrdapow.sys


---- System - GMER 1.0.15 ----

SSDT 86233C20 ZwAlertResumeThread
SSDT 86233048 ZwAlertThread
SSDT 86288910 ZwAllocateVirtualMemory
SSDT 860E20C8 ZwAlpcConnectPort
SSDT 862873A8 ZwAssignProcessToJobObject
SSDT 86287838 ZwCreateMutant
SSDT 8628AE10 ZwCreateSymbolicLinkObject
SSDT 86288D20 ZwCreateThread
SSDT 86287468 ZwDebugActiveProcess
SSDT 86288A68 ZwDuplicateObject
SSDT 86287F80 ZwFreeVirtualMemory
SSDT 8624C108 ZwImpersonateAnonymousToken
SSDT 86249048 ZwImpersonateThread
SSDT 860E2090 ZwLoadDriver
SSDT 86287EA0 ZwMapViewOfSection
SSDT 862881D8 ZwOpenEvent
SSDT 86288C08 ZwOpenProcess
SSDT 8623D598 ZwOpenProcessToken
SSDT 86287630 ZwOpenSection
SSDT 86288B38 ZwOpenThread
SSDT 8628AFC0 ZwProtectVirtualMemory
SSDT 86234E10 ZwResumeThread
SSDT 8623D690 ZwSetContextThread
SSDT 86287D48 ZwSetInformationProcess
SSDT 86287528 ZwSetSystemInformation
SSDT 862876F0 ZwSuspendProcess
SSDT 86244048 ZwSuspendThread
SSDT 862A1048 ZwTerminateProcess
SSDT 861E1E50 ZwTerminateThread
SSDT 8623E048 ZwUnmapViewOfSection
SSDT 86288840 ZwWriteVirtualMemory
SSDT 8628AEE0 ZwCreateThreadEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\00000425 -> \Driver\atapi \Device\Harddisk0\DR0 84A28170

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b830f5c
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\[email protected] 0xDB 0x67 0xC1 0x13 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\[email protected] 0x6A 0xF0 0x80 0xF9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00081b830f5c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\[email protected] 0xDB 0x67 0xC1 0x13 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\[email protected] 0x6A 0xF0 0x80 0xF9 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\[email protected] 0x80 0x87 0x64 0xAB ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

 

[chemist]

Hello clair101. One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by right-click > Run as Administrator

If you click 'Start' and have no 'Run' function, please right-click Start > Properties > Start menu tab > Customize button > and tick 'Display Run' box > OK > OK.

------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it. (Vista users, right-click > Run as Administrator)
• Copy/paste the contents of the following codebox into the main textfield:
  

  :filefind
  atapi.*

• Click the Look button to start the scan.
• When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------

 

[clair101]

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 10:40 on 16/12/2009 by cm (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_37a5f048\atapi.sys --a--- 21688 bytes [19:24 05/02/2008] [19:24 05/02/2008] 28D0C21DB4FFED1BBFB42E9AA34E0C0D
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys --a--- 21688 bytes [05:17 10/09/2007] [05:17 10/09/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys --a--- 21560 bytes [22:37 02/03/2008] [22:37 02/03/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [22:37 02/03/2008] [22:37 02/03/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [04:51 10/09/2007] [04:51 10/09/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\drivers\atapi.sys --a--- 21560 bytes [22:37 02/03/2008] [22:37 02/03/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [04:51 10/09/2007] [04:51 10/09/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [22:37 02/03/2008] [22:37 02/03/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [04:51 10/09/2007] [04:51 10/09/2007] 5653737BAD8C6C10136451C195C19881
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys --a--- 21688 bytes [05:17 10/09/2007] [05:17 10/09/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20658_none_dbad770d3da236bb\atapi.sys --a--- 21688 bytes [19:24 05/02/2008] [19:24 05/02/2008] 28D0C21DB4FFED1BBFB42E9AA34E0C0D
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [22:37 02/03/2008] [22:37 02/03/2008] E03E8C99D15D0381E02743C36AFC7C6F

-=End Of File=-

 

[chemist]

Hello again, clair101.

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click Advanced mode if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• If TeaTimer gives you a warning that changes were made, click the Allow Change box when prompted.
• In the File menu click Exit to exit Spybot Search & Destroy.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please download ComboFix.exe from here and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Please post the C:\ComboFix.txt in your next reply for further review.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

 

[clair101]

Hi .. here is the info from the above instruction ..... is this a nasty virus ??? or do things normally take this much to fix? thanks for ur help though ... I would have no clue on my own x

ComboFix 09-12-16.05 - cm 17/12/2009 12:08:49.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.1023 [GMT 0:00]
Running from: c:\users\cm\Desktop\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-481360034-789616395-3074670522-500
c:\$recycle.bin\S-1-5-21-893896235-185402396-3724997393-500
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\alot\bin\ALOTSettings.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-17 12:27 . 2009-12-17 12:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-17 11:30 . 2009-08-29 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\NAVENG.SYS
2009-12-17 11:30 . 2009-08-29 09:00 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\NAVENG32.DLL
2009-12-17 11:30 . 2009-08-29 09:00 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\NAVEX32A.DLL
2009-12-17 11:30 . 2009-08-29 09:00 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\NAVEX15.SYS
2009-12-17 11:30 . 2009-12-09 22:56 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\CCERASER.DLL
2009-12-17 11:30 . 2009-12-02 16:50 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\ECMSVR32.DLL
2009-12-17 11:30 . 2009-08-29 09:00 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\EECTRL.SYS
2009-12-17 11:30 . 2009-08-29 09:00 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\VirusDefs\20091216.052\ERASER.SYS
2009-12-15 08:52 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\IDSvix86.sys
2009-12-15 08:52 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\IDSXpx86.sys
2009-12-15 08:52 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\Scxpx86.dll
2009-12-15 08:52 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\IDSxpx86.dll
2009-12-15 08:52 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\IDSviA64.sys
2009-12-09 20:37 . 2009-12-13 11:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 20:37 . 2009-12-09 20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 15:11 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-07 13:07 . 2009-12-07 13:07 -------- d-----w- c:\programdata\XoftSpySE
2009-12-07 12:58 . 2009-12-09 13:08 -------- d-----w- c:\program files\WinClear
2009-12-07 12:53 . 2009-12-07 12:53 -------- d-----w- c:\users\cm\AppData\Roaming\Uniblue
2009-12-04 14:51 . 2009-10-10 23:51 44080 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-12-02 20:44 . 2009-12-09 12:15 -------- d-sh--w- c:\users\cm\AppData\Roaming\lowsec
2009-12-02 19:35 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-12-02 19:35 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-12-02 19:35 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-12-02 19:35 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-12-02 19:35 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-12-02 16:33 . 2009-08-30 00:16 164216 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
2009-12-02 16:32 . 2009-12-02 16:32 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-12-02 16:32 . 2009-12-02 16:42 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-02 16:32 . 2009-12-02 16:32 -------- d-----w- c:\program files\Symantec
2009-12-02 16:32 . 2009-08-26 22:13 900464 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\OCS\hsplayer.dll
2009-12-02 16:32 . 2009-09-01 09:02 893296 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\CLT\cltLMSx.dll
2009-12-02 16:31 . 2009-12-03 14:03 -------- d-----w- c:\windows\system32\drivers\NAV
2009-12-02 16:31 . 2009-12-02 16:31 -------- d-----w- c:\program files\Norton AntiVirus
2009-12-02 16:31 . 2009-12-02 16:33 -------- d-----w- c:\programdata\Norton
2009-12-02 16:31 . 2009-12-02 16:31 -------- d-----w- c:\programdata\NortonInstaller
2009-12-02 16:31 . 2009-12-02 16:31 -------- d-----w- c:\program files\NortonInstaller
2009-12-02 15:42 . 2009-12-02 15:42 -------- d-----w- c:\users\cm\AppData\Roaming\Leadertech
2009-12-01 12:20 . 2009-12-01 12:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-01 12:16 . 2009-12-10 18:58 -------- d-----w- c:\program files\Google
2009-11-22 00:42 . 2009-11-30 00:42 439816 ----a-w- c:\users\cm\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-20 15:40 . 2009-11-20 15:40 172 ----a-w- c:\users\cm\AppData\Roaming\Azureus\restart.bat
2009-11-20 15:34 . 2009-11-20 15:34 -------- d-----w- c:\programdata\Azureus
2009-11-20 15:34 . 2009-11-20 15:54 -------- d-----w- c:\users\cm\AppData\Roaming\Azureus
2009-11-17 21:56 . 2009-12-15 18:45 -------- d-----w- c:\users\cm\Tracing
2009-11-17 21:36 . 2009-11-17 21:36 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-17 21:35 . 2009-11-17 21:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 21:01 . 2009-11-17 21:01 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 12:30 . 2008-03-02 16:26 -------- d-----w- c:\users\cm\AppData\Roaming\DNA
2009-12-17 12:30 . 2008-03-02 11:24 -------- d-----w- c:\programdata\Kontiki
2009-12-15 01:06 . 2008-08-09 11:04 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-14 15:55 . 2009-11-15 15:56 -------- d-----w- c:\users\cm\AppData\Roaming\HP
2009-12-12 11:43 . 2008-03-31 19:41 5216 ----a-w- c:\users\cm\AppData\Local\d3d9caps.dat
2009-12-09 13:50 . 2008-08-25 11:42 -------- d-----w- c:\users\cm\AppData\Roaming\OpenOffice.org2
2009-12-09 13:47 . 2008-10-05 11:16 -------- d-----w- c:\users\cm\AppData\Roaming\Skype
2009-12-09 13:28 . 2008-10-05 11:20 -------- d-----w- c:\users\cm\AppData\Roaming\skypePM
2009-12-09 13:25 . 2008-03-02 07:49 -------- d-----w- c:\program files\FSC
2009-12-09 13:16 . 2008-03-02 07:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 13:09 . 2009-05-05 22:31 -------- d-----w- c:\users\cm\AppData\Roaming\WinFF
2009-12-09 12:36 . 2008-08-09 09:28 -------- d-----w- c:\users\cm\AppData\Roaming\Samsung
2009-12-09 12:18 . 2008-10-05 13:59 -------- d-----w- c:\program files\BSR Screen Recorder 4
2009-12-04 15:17 . 2009-10-11 16:55 -------- d-----w- c:\program files\VideoLAN
2009-12-04 15:16 . 2009-10-06 23:49 -------- d-----w- c:\program files\Wake up News
2009-12-02 16:32 . 2009-12-02 16:32 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-02 16:32 . 2009-12-02 16:32 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-01 12:20 . 2009-05-23 19:55 -------- d-----w- c:\program files\Common Files\Real
2009-11-21 15:42 . 2009-10-11 16:55 -------- d-----w- c:\program files\Graboid
2009-11-20 15:57 . 2008-03-02 11:24 -------- d-----w- c:\program files\Kontiki
2009-11-20 14:18 . 2009-03-28 10:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-17 21:36 . 2008-03-21 22:55 -------- d-----w- c:\program files\Windows Live
2009-11-17 21:36 . 2008-03-21 23:02 -------- d-----w- c:\program files\Windows Live Toolbar
2009-11-17 21:35 . 2009-03-28 10:02 -------- d-----w- c:\program files\Microsoft
2009-11-15 16:01 . 2008-03-02 00:09 105504 ----a-w- c:\users\cm\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-15 15:56 . 2009-11-15 15:56 -------- d-----w- c:\programdata\WEBREG
2009-11-15 15:56 . 2009-11-15 15:25 162852 ----a-w- c:\windows\hpoins44.dat
2009-11-15 15:56 . 2009-11-15 15:25 -------- d-----w- c:\programdata\HP
2009-11-15 15:54 . 2009-11-15 15:45 -------- d-----w- c:\program files\HP
2009-11-15 15:52 . 2009-11-15 15:52 -------- d-----w- c:\programdata\HP Product Assistant
2009-11-15 15:50 . 2009-11-15 15:50 -------- d-----w- c:\program files\Common Files\HP
2009-11-15 15:49 . 2009-11-15 15:49 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-11-13 21:43 . 2009-10-24 12:56 -------- d-----w- c:\program files\Safari
2009-11-13 21:40 . 2009-11-13 21:40 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-13 21:39 . 2009-11-13 21:38 -------- d-----w- c:\program files\iTunes
2009-11-13 21:38 . 2009-11-13 21:38 -------- d-----w- c:\program files\iPod
2009-11-13 21:38 . 2008-08-24 08:59 -------- d-----w- c:\program files\Common Files\Apple
2009-11-13 21:32 . 2009-11-13 21:32 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-11 20:52 . 2008-08-25 11:43 1 ----a-w- c:\users\cm\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-11-04 23:50 . 2009-11-04 23:50 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHRules.dll
2009-11-04 23:50 . 2009-11-04 23:50 663088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx64.sys
2009-11-04 23:50 . 2009-11-04 23:50 524848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx86.sys
2009-11-04 23:50 . 2009-11-04 23:50 1413520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHEngine.dll
2009-11-04 23:50 . 2009-11-04 23:50 610704 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\bbRGen.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-26 07:46 . 2008-08-24 09:02 -------- d-----w- c:\users\cm\AppData\Roaming\Apple Computer
2009-10-24 13:08 . 2009-10-24 13:07 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-24 13:04 . 2009-10-24 13:04 -------- d-----w- c:\program files\QuickTime
2008-02-05 19:24 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-02 1232896]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BitTorrent DNA"="c:\users\cm\Program Files\DNA\btdna.exe" [2009-11-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-10 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NAV\1101000.013\SymDS.sys [02/12/2009 20:56 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1101000.013\SymEFA.sys [02/12/2009 20:56 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx86.sys [04/11/2009 23:50 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1101000.013\cchpx86.sys [02/12/2009 20:56 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.0.0.136\Definitions\IPSDefs\20091211.001\IDSvix86.sys [15/12/2009 08:52 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NAV\1101000.013\Ironx86.sys [02/12/2009 20:56 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NAV\1101000.013\symtdiv.sys [02/12/2009 20:56 339504]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe [02/12/2009 20:56 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/12/2009 20:37 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/12/2009 19:34 102448]
R3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRKMD.sys [06/12/2007 14:00 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [09/09/2008 03:15 48128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 10:25 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9F6C747001C9CB5A01848BC2&install_time=02-05-2009:20&src_id=11029&camp_id=295&tb_version=2.4.2.399
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

BHO-{1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
HKLM-Run-SiSTray - c:\program files\SiS VGA Utilities\SiSTray.exe
HKLM-Run-Lexmark X1100 Series - c:\program files\Lexmark X1100 Series\lxbkbmgr.exe
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-17 12:28
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84A28170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82811d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x807869ba
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-12-17 12:37:23
ComboFix-quarantined-files.txt 2009-12-17 12:37

Pre-Run: 23,427,141,632 bytes free
Post-Run: 28,192,272,384 bytes free

- - End Of File - - 16C005DAAA134CD70CBA0EFBE8B4ED08

 

[chemist]

Hello again, clair101. Yes, this is a really nasty one. Just to be safe, if there is anything on this machine you can't live without, back it up now.

Open Notepad and copy/paste the entire contents of the quotebox below into Notepad:

@echo off
copy /y c:\windows\system32\drivers\atapi.sys c:\atapi.sys.vir
del %0

Save this Notepad file as copy.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on copy.bat to run it. A DOS window will open and close again, this is normal.

------------------------------------------------------

Download The Avenger2 by Swandog46 from here

• Unzip/extract it to a folder on your desktop.
• Double-click on avenger.exe to run The Avenger
• Click OK
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy/paste the following text in the codebox below into the 'Input script here:' box.
  
  

  files to move:
  C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys|c:\windows\system32\drivers\atapi.sys

• Click Execute
• Click Yes
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
• Click Yes
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

------------------------------------------------------

No matter how many times Avenger rebooted your computer, please reboot your machine once more. This is important.

Have the redirects stopped now? Let me know.

------------------------------------------------------

 

[clair101]

Hi .. this is really bad timing ... I have ordered an external hard drive to back up my work but prob wont get it till after xmas (its coming from china) I have a load of design artwork that I cant afford to loose and need to back up first.

Im going home to the back end of beyond in wales for xmas so i wont b on the internet much at all after 2morro till about the 5th of jan ... My friend told me that if you dont reply 2 these threads after 3 days they get deleted ?? If my hard drive arrives and I can get on the net I will try 2 sort this over xmas but will my thread stay open just in case I cant get on till the 5th ??? is that Ok ??

Merry Christmas and a happy new year xxx

 

[chemist]

Still with us, clair101?

 

[clair101]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
Hi... I have backed up my work now and did as instructed .. I have copy and pasted the log ... I still need to reboot the computer again, but I went in to my email to get back to this site and I could see the little sneaky swirly blue icon flash up in the corner of the search bar when I logged in to my email (its one of the icons that always flashes up when Im being redirected) so something is definately still there ..

No rootkits found!


Error: could not move file "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys"
File move operation "C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys|c:\windows\system32\drivers\atapi.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

 

[chemist]

Since it has been so long, please run dds and gmer again and post/attach the logs as before.

 

[clair101]

Hi .. I reboted my computer one more time after I sent you the last message .. and went in to my hotmail and the sneaky little swirly sign isnt there...
looks like it might have finally worked .. I dont seem to be being redirected

Im so sorry to ask but can you tel me how to run dds and gmer again ??

Im also concerned that I dont have anything to stop someone doing this again.. can you recomend any free firewall thingys or something .. people keep telling me I should have something set up .. but my friend who used to help me with this stuff has dissapeered off the face of the earth & I dont even know what kind of security thing I need ?

 

[chemist]

Hello again, clair101. According to the Avenger results, the fix didn't work.

dds.scr should still be on your desktop.

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double-click dds to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

-----------------------------------------------------

Please include the following logs in your thread:

• Contents of the DDS.txt posted as text in your reply.
• Attach the Attach.txt to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

------------------------------------------------------

Delete your existing copy of gmer if still on your desktop. Please run this special version of gmer:

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php and Save it to your Desktop.

• Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

 

[clair101]

I tried to do the gmer .. I went as far as clicking scan and waiting for it to finish .. but it shut my computer down ? Ill try again now and see if I can do it but I thought I would send this seperately first ..


DDS (Ver_09-12-01.01) - NTFSx86
Run by cm at 15:38:30.93 on 06/01/2010
Internet Explorer: 7.0.6000.16830
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.834 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton AntiVirus\Engine\17.1.0.19\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Users\cm\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\cm\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9F6C747001C9CB5A01848BC2&install_time=02-05-2009:20:17&src_id=11029&camp_id=295&tb_version=2.4.2.399
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.1.0.19\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BitTorrent DNA] "c:\users\cm\program files\dna\btdna.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [userinit] c:\users\cm\appdata\roaming\sdra64.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [TouchPadHotKey] c:\program files\fsc\touchpad hotkey utility\TouchPad_HotKey.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-gb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1101000.013\SymDS.sys [2009-12-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1101000.013\SymEFA.sys [2009-12-2 171056]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20091205.001\BHDrvx86.sys [2009-12-5 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1101000.013\cchpx86.sys [2009-12-2 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20091217.002\IDSvix86.sys [2009-12-18 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1101000.013\Ironx86.sys [2009-12-2 114736]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nav\1101000.013\symtdiv.sys [2009-12-2 339504]
R2 NAV;Norton AntiVirus;c:\program files\norton antivirus\engine\17.1.0.19\ccSvcHst.exe [2009-12-2 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-9 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-2 102448]
R3 SiS6350;SiS6350;c:\windows\system32\drivers\SISGRKMD.sys [2007-12-6 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\drivers\SiSGB6.sys [2008-9-9 48128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]

=============== Created Last 30 ================

2010-01-04 23:37:50 0 d-sh--w- c:\windows\system32\lowsec
2009-12-17 12:37:51 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-17 12:05:28 77312 ----a-w- c:\windows\MBR.exe
2009-12-17 12:05:28 261632 ----a-w- c:\windows\PEV.exe
2009-12-17 12:05:27 98816 ----a-w- c:\windows\sed.exe
2009-12-17 12:05:27 161792 ----a-w- c:\windows\SWREG.exe
2009-12-17 12:05:03 0 d-----w- C:\KittyFix
2009-12-09 20:37:49 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 20:37:49 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 15:11:33 195456 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-12-09 12:33:38 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-09 12:33:38 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-09 12:33:37 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-12-02 16:32:38 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-12-02 16:32:38 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-12-02 16:32:38 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-15 15:56:28 162852 ----a-w- c:\windows\hpoins44.dat
2008-12-11 03:14:53 174 --sha-w- c:\program files\desktop.ini
2008-06-12 02:09:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-02-05 19:24:40 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:41:03.68 ===============

 

[clair101]

Hi .. I managed to do the gmer .. computer completely froze after it though .. but I have attached the results from the scan ..

 

[chemist]

Hello again, clair101. The logs still show you being infected.

Delete KittyFix.exe(or ComboFix.exe) from your desktop.

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

------------------------------------------------------

Disable Norton and close any browsers.

Right-click ComboFix.exe and choose 'Run as administrator'.

Please post the ComboFix.txt log in your next reply.

------------------------------------------------------

 

[clair101]

Hi .. yes .. I am still being redirected ... thank you so much for ur help ...

Fingers crossed..


ComboFix 10-01-04.01 - cm 07/01/2010 12:15:05.3.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.1789.1086 [GMT 0:00]
Running from: c:\users\cm\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\cm\AppData\Roaming\sdra64.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-07 12:26 . 2010-01-07 12:26 -------- d-----w- c:\users\cm\AppData\Local\temp
2010-01-07 12:26 . 2010-01-07 12:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-07 12:26 . 2010-01-07 12:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-06 22:53 . 2010-01-06 22:53 -------- d-----w- c:\windows\Sun
2009-12-17 12:05 . 2009-12-17 12:37 -------- d-----w- C:\KittyFix
2009-12-09 20:37 . 2009-12-13 11:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-09 20:37 . 2009-12-09 20:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-09 15:11 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-07 12:27 . 2008-03-02 11:24 -------- d-----w- c:\programdata\Kontiki
2010-01-07 12:18 . 2008-03-02 16:26 -------- d-----w- c:\users\cm\AppData\Roaming\DNA
2010-01-07 12:08 . 2009-12-02 20:44 -------- d-sh--w- c:\users\cm\AppData\Roaming\lowsec
2010-01-07 11:52 . 2009-12-02 16:31 -------- d-----w- c:\programdata\Norton
2010-01-07 11:51 . 2008-08-09 11:04 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-06 23:16 . 2008-08-25 11:43 1 ----a-w- c:\users\cm\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-06 23:16 . 2008-08-25 11:42 -------- d-----w- c:\users\cm\AppData\Roaming\OpenOffice.org2
2010-01-06 18:25 . 2008-08-25 11:39 -------- d-----w- c:\program files\Java
2009-12-14 15:55 . 2009-11-15 15:56 -------- d-----w- c:\users\cm\AppData\Roaming\HP
2009-12-12 11:43 . 2008-03-31 19:41 5216 ----a-w- c:\users\cm\AppData\Local\d3d9caps.dat
2009-12-10 18:58 . 2009-12-01 12:16 -------- d-----w- c:\program files\Google
2009-12-09 13:47 . 2008-10-05 11:16 -------- d-----w- c:\users\cm\AppData\Roaming\Skype
2009-12-09 13:28 . 2008-10-05 11:20 -------- d-----w- c:\users\cm\AppData\Roaming\skypePM
2009-12-09 13:25 . 2008-03-02 07:49 -------- d-----w- c:\program files\FSC
2009-12-09 13:16 . 2008-03-02 07:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-09 13:09 . 2009-05-05 22:31 -------- d-----w- c:\users\cm\AppData\Roaming\WinFF
2009-12-09 13:08 . 2009-12-07 12:58 -------- d-----w- c:\program files\WinClear
2009-12-09 12:36 . 2008-08-09 09:28 -------- d-----w- c:\users\cm\AppData\Roaming\Samsung
2009-12-09 12:18 . 2008-10-05 13:59 -------- d-----w- c:\program files\BSR Screen Recorder 4
2009-12-07 13:07 . 2009-12-07 13:07 -------- d-----w- c:\programdata\XoftSpySE
2009-12-07 12:53 . 2009-12-07 12:53 -------- d-----w- c:\users\cm\AppData\Roaming\Uniblue
2009-12-04 15:17 . 2009-10-11 16:55 -------- d-----w- c:\program files\VideoLAN
2009-12-04 15:16 . 2009-10-06 23:49 -------- d-----w- c:\program files\Wake up News
2009-12-02 16:31 . 2009-12-02 16:31 -------- d-----w- c:\programdata\NortonInstaller
2009-12-02 15:42 . 2009-12-02 15:42 -------- d-----w- c:\users\cm\AppData\Roaming\Leadertech
2009-12-01 12:20 . 2009-05-23 19:55 -------- d-----w- c:\program files\Common Files\Real
2009-12-01 12:20 . 2009-12-01 12:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-11-30 00:42 . 2009-11-22 00:42 439816 ----a-w- c:\users\cm\AppData\Roaming\Real\Update\setup3.09\setup.exe
2009-11-21 15:42 . 2009-10-11 16:55 -------- d-----w- c:\program files\Graboid
2009-11-20 15:57 . 2008-03-02 11:24 -------- d-----w- c:\program files\Kontiki
2009-11-20 15:54 . 2009-11-20 15:34 -------- d-----w- c:\users\cm\AppData\Roaming\Azureus
2009-11-20 15:40 . 2009-11-20 15:40 172 ----a-w- c:\users\cm\AppData\Roaming\Azureus\restart.bat
2009-11-20 15:34 . 2009-11-20 15:34 -------- d-----w- c:\programdata\Azureus
2009-11-20 14:18 . 2009-03-28 10:03 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-17 21:36 . 2008-03-21 22:55 -------- d-----w- c:\program files\Windows Live
2009-11-17 21:36 . 2008-03-21 23:02 -------- d-----w- c:\program files\Windows Live Toolbar
2009-11-17 21:36 . 2009-11-17 21:36 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-17 21:35 . 2009-03-28 10:02 -------- d-----w- c:\program files\Microsoft
2009-11-17 21:35 . 2009-11-17 21:35 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 21:01 . 2009-11-17 21:01 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-15 16:01 . 2008-03-02 00:09 105504 ----a-w- c:\users\cm\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-15 15:56 . 2009-11-15 15:56 -------- d-----w- c:\programdata\WEBREG
2009-11-15 15:56 . 2009-11-15 15:25 162852 ----a-w- c:\windows\hpoins44.dat
2009-11-15 15:56 . 2009-11-15 15:25 -------- d-----w- c:\programdata\HP
2009-11-15 15:54 . 2009-11-15 15:45 -------- d-----w- c:\program files\HP
2009-11-15 15:52 . 2009-11-15 15:52 -------- d-----w- c:\programdata\HP Product Assistant
2009-11-15 15:50 . 2009-11-15 15:50 -------- d-----w- c:\program files\Common Files\HP
2009-11-15 15:49 . 2009-11-15 15:49 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-11-13 21:43 . 2009-10-24 12:56 -------- d-----w- c:\program files\Safari
2009-11-13 21:40 . 2009-11-13 21:40 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-13 21:39 . 2009-11-13 21:38 -------- d-----w- c:\program files\iTunes
2009-11-13 21:38 . 2009-11-13 21:38 -------- d-----w- c:\program files\iPod
2009-11-13 21:38 . 2008-08-24 08:59 -------- d-----w- c:\program files\Common Files\Apple
2009-11-13 21:32 . 2009-11-13 21:32 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-11 04:17 . 2009-01-10 12:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-02-05 19:24 . 2007-09-10 04:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-02 1232896]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"BitTorrent DNA"="c:\users\cm\Program Files\DNA\btdna.exe" [2009-11-07 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-10 1006264]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-10 869936]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"TouchPadHotKey"="c:\program files\FSC\TouchPad HotKey Utility\TouchPad_HotKey.exe" [2007-08-13 364544]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-01 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/12/2009 20:37 1153368]
R3 SiS6350;SiS6350;c:\windows\System32\drivers\SISGRKMD.sys [06/12/2007 14:00 452968]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\System32\drivers\SiSGB6.sys [09/09/2008 03:15 48128]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 10:25 167936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\User_Feed_Synchronization-{C4EDA85F-0DAC-47DC-A260-497B3545D674}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://search.alot.com/web?q=&pr=auto&client_id=9F6C747001C9CB5A01848BC2&install_time=02-05-2009:20&src_id=11029&camp_id=295&tb_version=2.4.2.399
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 12:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x84A29170]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x82b90d1f
\Driver\ACPI -> acpi.sys @ 0x804699d6
\Driver\atapi -> ataport.SYS @ 0x807869ba
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-07 12:31:51
ComboFix-quarantined-files.txt 2010-01-07 12:31
ComboFix2.txt 2009-12-17 12:37

Pre-Run: 29,103,341,568 bytes free
Post-Run: 29,220,200,448 bytes free

- - End Of File - - 55DDA0DCF3F253C6A081ED44A9B168B1

 

[chemist]

Hello again, clair101.

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

@echo off
copy /y C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys c:\windows\system32\dllcache
dir /s c:\atapi.sys > peek.txt
notepad peek.txt

Save this Notepad file as copy.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Right-click on copy.bat and choose 'Run as administrator'.

A Notepad file will open. Copy that information into your next reply, please.

------------------------------------------------------

 

[clair101]

Hi Chemist

I did as instructed and pasted the notepad below ...


Volume in drive C is System
Volume Serial Number is E0A4-CE06

Directory of c:\Windows\ERDNT\cache

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\drivers

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_37a5f048

05/02/2008 19:24 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4

10/09/2007 05:17 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2

10/09/2007 04:51 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699

02/11/2006 09:49 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06

10/09/2007 04:51 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b

10/09/2007 04:51 19,048 atapi.sys
1 File(s) 19,048 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736

10/09/2007 05:17 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20658_none_dbad770d3da236bb

05/02/2008 19:24 21,688 atapi.sys
1 File(s) 21,688 bytes

Directory of c:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b

02/03/2008 22:37 21,560 atapi.sys
1 File(s) 21,560 bytes

Total Files Listed:
14 File(s) 292,304 bytes
0 Dir(s) 28,564,410,368 bytes free