[Inactive] Search Engine Redirect

**broni** · 03-11-2009

F-Secure, basically, found nothing.

Attached is zipped atapi.sys file.
Unzip it.

Restart computer in Safe Mode.
Navigate to:
C:/Windows/System32/drivers
Renameyour atapi.sys file to atapi.old
Paste my atapi.sys file into C:/Windows/System32/drivers folder.

Restart computer and check for redirection.

**Bill C** · 03-11-2009

There's no attached file in your last post.

**broni** · 03-11-2009

Ooooops...

**Bill C** · 03-11-2009

Redirects still occuring, but they are blocked.

**broni** · 03-11-2009

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

After the update, from the "File" menu, choose "Standard Scripts"
Put a check next to item 2: Advanced System Analysis
Click Execute selected scripts
At the next prompt, click the Yes button
Let the scan run and click "OK" when the completion prompt pops up
Now Close out of the Standard Scripts window, and exit AVZ
Navigate to the avz4 folder and locate the folder LOG
Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
Attach the compressed file, virusinfo_syscheck.zip, to your next reply.

**Bill C** · 03-11-2009

Ran AVZ script scan. The file you requested is attached.

**broni** · 04-11-2009

Download Rooter.exe to your desktop.

1. Double click it to start the tool.
2. A Notepad file containing the report will open, also found at C:\Rooter.txt.
3. Copy all text, and paste it into your next reply.

**Bill C** · 04-11-2009

Ran Rooter.exe scan. The Rooter_1.txt file follows.

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 15 Model 67 Stepping 3, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Disabled !
User Account Control (UAC) -> Enabled
.
Internet Explorer 7.0.6001.18000
.
C:\ [Fixed-NTFS] .. ( Total:363 Go - Free:279 Go )
D:\ [Fixed-NTFS] .. ( Total:8 Go - Free:1 Go )
E:\ [CD_Rom]
F:\ [Removable]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
.
Scan : 18:41.31
Path : C:\Users\admin\Desktop\Rooter.exe
User : admin ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (440)
______ C:\Windows\system32\csrss.exe (520)
______ C:\Windows\system32\wininit.exe (572)
______ C:\Windows\system32\csrss.exe (580)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (592)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (600)
______ C:\Windows\system32\services.exe (632)
______ C:\Windows\system32\lsass.exe (644)
______ C:\Windows\system32\lsm.exe (652)
______ C:\Windows\system32\winlogon.exe (680)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (740)
______ C:\Windows\system32\svchost.exe (864)
______ C:\Windows\system32\nvvsvc.exe (1116)
______ C:\Windows\system32\svchost.exe (1148)
______ C:\Windows\System32\svchost.exe (1328)
______ C:\Windows\System32\svchost.exe (1436)
______ C:\Windows\system32\svchost.exe (1496)
______ C:\Windows\system32\AUDIODG.EXE (1644)
______ C:\Windows\system32\SLsvc.exe (1688)
______ C:\Windows\system32\rundll32.exe (1728)
______ C:\Windows\system32\svchost.exe (1756)
______ C:\Windows\system32\svchost.exe (1912)
______ C:\Windows\system32\Dwm.exe (856)
______ C:\Windows\Explorer.EXE (1048)
______ C:\Windows\System32\spoolsv.exe (1508)
______ C:\hp\support\hpsysdrv.exe (1548)
______ C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe (1628)
______ C:\Windows\RtHDVCpl.exe (1576)
______ C:\Windows\System32\rundll32.exe (1712)
______ C:\Program Files\AVG\AVG9\avgtray.exe (1836)
______ C:\Program Files\Windows Sidebar\sidebar.exe (1872)
______ C:\Windows\ehome\ehtray.exe (1744)
______ C:\Windows\system32\taskeng.exe (1828)
______ C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe (200)
______ C:\Windows\system32\svchost.exe (1920)
______ C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (1016)
______ C:\Windows\system32\taskeng.exe (2280)
______ C:\Windows\ehome\ehmsas.exe (2448)
______ C:\Program Files\Internet Explorer\ieuser.exe (2824)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (2896)
______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (2940)
______ C:\Program Files\Bonjour\mDNSResponder.exe (2972)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (3180)
______ C:\Windows\system32\svchost.exe (3308)
______ c:\Program Files\Common Files\LightScribe\LSSrvc.exe (3400)
______ C:\Windows\system32\svchost.exe (3572)
______ C:\Windows\system32\svchost.exe (3596)
______ C:\Windows\System32\svchost.exe (3632)
______ C:\Windows\system32\SearchIndexer.exe (3700)
______ C:\Windows\system32\DRIVERS\xaudio.exe (3728)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (2040)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (1988)
______ C:\hp\kbd\kbd.exe (3988)
______ C:\Windows\system32\wbem\unsecapp.exe (4020)
______ C:\Windows\system32\wbem\wmiprvse.exe (1308)
______ c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe (2648)
______ C:\Windows\system32\wuauclt.exe (460)
______ C:\Windows\system32\jusched.exe (4532)
______ C:\Users\admin\Desktop\Rooter.exe (4744)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:390578840064)
\Device\Harddisk0\Partition2 (Start_Offset:390578872320 | Length:9506488320)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:41.33
.
C:\Rooter$\Rooter_1.txt - (03/11/2009 | 18:41.33)

**broni** · 04-11-2009

Download fresh copy of Combofix from HERE
Rename the file from 4c56rg7d.exe to 4c56rg7d.com andtry to run it again.

**Bill C** · 04-11-2009

Ran ComboFix (yea!). ComboFix logfile follows.

ComboFix 09-11-03.01 - admin 11/03/2009 19:38.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1632 [GMT -5:00]
Running from: c:\users\admin\Desktop\4c56rg7d.com
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3331803270-2357299798-1493206031-500
c:\$recycle.bin\S-1-5-21-3704042418-4224051671-3462806213-500
c:\users\admin\AppData\Roaming\02000000165cf98e598 C.manifest
c:\users\admin\AppData\Roaming\02000000165cf98e598 O.manifest
c:\users\admin\AppData\Roaming\02000000165cf98e598 P.manifest
c:\users\admin\AppData\Roaming\02000000165cf98e598 S.manifest
c:\users\Guest\AppData\Roaming\02000000165cf98e598 C.manifest
c:\users\Guest\AppData\Roaming\02000000165cf98e598 O.manifest
c:\users\Guest\AppData\Roaming\02000000165cf98e598 P.manifest
c:\users\Guest\AppData\Roaming\02000000165cf98e598 S.manifest
c:\windows\system32\c66H7RQ.vbs

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-04 00:45 . 2009-11-04 00:46 -------- d-----w- c:\users\admin\AppData\Local\temp
2009-11-04 00:45 . 2009-11-04 00:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-04 00:45 . 2009-11-04 00:45 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-03 23:41 . 2009-11-03 23:41 -------- d-----w- C:\Rooter$
2009-11-03 05:45 . 2009-11-03 05:41 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-03 04:31 . 2009-11-03 04:31 -------- d-----w- c:\programdata\F-Secure
2009-11-01 04:06 . 2009-11-01 04:06 -------- d-----w- c:\programdata\is-6JRR8
2009-11-01 04:04 . 2009-11-01 04:04 -------- d-----w- c:\programdata\is-GMUL4
2009-11-01 04:04 . 2008-07-08 17:54 148496 ----a-w- c:\windows\system32\drivers\54623057.sys
2009-11-01 03:57 . 2009-11-01 03:57 -------- d-----w- c:\programdata\is-N6F3K
2009-11-01 03:57 . 2009-11-04 00:41 55070752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-31 18:52 . 2008-01-19 07:41 21560 ----a-w- c:\windows\system32\drivers\atapiold.sys
2009-10-31 14:10 . 2009-10-31 14:10 -------- d-----w- C:\_OTL
2009-10-31 01:41 . 2009-10-31 01:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-30 01:50 . 2009-11-04 00:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 22:49 . 2009-10-29 22:49 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-29 22:49 . 2009-11-04 00:27 -------- d-----w- c:\users\admin\AppData\Roaming\SUPERAntiSpyware.co m
2009-10-29 22:49 . 2009-11-04 00:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-29 14:55 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 14:55 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-29 14:55 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-29 14:55 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 14:55 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-29 14:55 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-29 14:55 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 14:55 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 14:55 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-28 19:20 . 2009-10-28 20:52 -------- d-----w- C:\ComboFix
2009-10-28 13:41 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 13:41 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2009-10-26 14:03 . 2009-10-26 14:03 -------- d-----w- c:\programdata\Malwarebytes
2009-10-24 23:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-24 23:13 . 2009-10-24 23:15 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-24 23:12 . 2009-10-24 23:15 -------- d-----w- c:\programdata\Lavasoft
2009-10-24 23:12 . 2009-10-24 23:12 -------- d-----w- c:\program files\Lavasoft
2009-10-24 21:59 . 2009-10-24 21:59 -------- d-----w- c:\program files\Trend Micro
2009-10-24 17:20 . 2009-10-24 18:46 -------- d-----w- C:\$AVG
2009-10-24 17:20 . 2009-10-24 21:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 17:20 . 2009-10-24 17:20 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-24 17:20 . 2009-10-24 17:20 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 17:20 . 2009-11-03 14:25 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-24 17:20 . 2009-10-24 17:20 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-24 17:20 . 2009-10-28 19:27 -------- d-----w- c:\programdata\avg9
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-24 15:17 . 2009-10-24 16:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 03:44 . 2009-10-24 03:44 -------- d-----w- c:\users\admin\AppData\Local\Threat Expert
2009-10-24 03:35 . 2009-10-24 16:59 -------- d-----w- c:\programdata\PC Tools
2009-10-24 03:19 . 2009-10-24 03:19 -------- d-----w- c:\programdata\XoftSpySE
2009-10-16 14:42 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 14:42 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 14:40 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 14:40 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 22:37 . 2009-09-23 14:09 103955 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\swscale-0.dll
2009-10-13 22:37 . 2009-09-23 14:09 43539 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avutil-50.dll
2009-10-13 22:37 . 2009-09-23 14:09 2954259 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avcodec-52.dll
2009-10-13 22:37 . 2009-09-23 14:09 514067 ----a-w- c:\users\Guest\AppData\Roaming\NCH Software\Components\ffmpeg5\avformat-52.dll
2009-10-13 22:32 . 2009-10-13 22:32 -------- d-----w- c:\programdata\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-03 15:39 . 2009-11-01 03:57 568016 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-31 01:54 . 2009-05-21 19:54 -------- d-----w- c:\users\admin\AppData\Roaming\DNA
2009-10-31 01:41 . 2007-08-05 05:00 -------- d-----w- c:\program files\Java
2009-10-28 19:59 . 2009-01-27 18:56 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2009-10-24 23:21 . 2007-12-14 18:43 -------- d-----w- c:\program files\Google
2009-10-24 01:23 . 2009-10-03 22:39 -------- d-----w- c:\program files\AVG
2009-10-17 04:43 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-17 02:14 . 2007-12-01 02:03 -------- d-----w- c:\programdata\Microsoft Help
2009-10-17 02:13 . 2007-08-05 05:01 -------- d-----w- c:\program files\Microsoft Works
2009-10-04 04:45 . 2007-12-01 15:04 123696 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2007-11-30 22:49 123696 ----a-w- c:\users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-04 03:56 . 2009-10-04 03:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-03 23:59 . 2009-10-03 23:59 -------- d-----w- c:\program files\Apple Software Update
2009-10-01 14:29 . 2009-10-03 14:12 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-08-31 13:55 . 2009-10-16 14:41 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-16 14:41 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 22:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 22:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 14:41 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 14:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 14:41 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-09 10:20 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 10:20 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 10:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 10:20 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 10:20 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 10:20 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 10:20 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 10:20 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:16 . 2009-09-09 10:20 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2007-08-05 05:16 . 2007-08-05 05:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" [2007-12-14 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-05-22 92704]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-24 2010904]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\admin\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\
_uninst_.bat [2009-11-3 83]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-6-5 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dl l

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/24/2009 12:20 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/24/2009 12:20 PM 360584]
R1 is-GMUL4drv;is-GMUL4drv;c:\windows\System32\drivers\54623057.sys [10/31/2009 11:04 PM 148496]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/24/2009 12:20 PM 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/23/2009 9:34 PM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-10-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]

2009-11-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-24 02:33]
.
.
------- Supplementary Scan -------
.
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - Sign In
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: stargatewars.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-03 19:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x88560E07]<<
kernel: MBR read successfully
user & kernel MBR OK

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-11-04 19:48
ComboFix-quarantined-files.txt 2009-11-04 00:48

Pre-Run: 300,503,375,872 bytes free
Post-Run: 300,759,150,592 bytes free