jaisa01

Members
  • Content Count

    6
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jaisa01

  • Rank
    Newbie
  1. [quote name='jaisa01' post='119506' date='May 12 2010, 04:00 PM']I booted in Safe more and here is the avenger log Logfile of The Avenger Version 2.0, © by Swandog46 [url="http://swandog46.geekstogo.com"]http://swandog46.geekstogo.com[/url] Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Driver "bvlbjcd" deleted successfully. Error: file "C:\WINDOWS\system32\fszas.dll" not found! Deletion of file "C:\WINDOWS\system32\fszas.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.[/quote] Here is the combofix log ComboFix 10-05-11.06 - Sandeep 05/12/2010 11:05:29.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3062.2575 [GMT -4:00] Running from: c:\documents and settings\Sandeep\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Sandeep\Application Data\.# c:\documents and settings\Sandeep\GoToAssistDownloadHelper.exe c:\windows\system32\st325602.dll Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 ))))))))))))))))))))))))))))))) . 2010-05-12 14:06 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\in00000\setup.exe 2010-05-12 14:06 . 2010-02-26 23:45 743872 ---ha-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\ar00000\install.exe 2010-05-12 06:14 . 2010-05-12 04:26 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-05-12 04:55 . 2010-05-12 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP 2010-05-12 04:54 . 2010-05-12 04:59 -------- d-----w- c:\program files\SpywareBlaster 2010-05-12 04:26 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-05-12 04:26 . 2010-05-12 04:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-05-12 04:20 . 2010-05-12 04:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-05-12 04:20 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-05-12 04:19 . 2010-05-12 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2010-05-10 18:02 . 2010-05-11 20:30 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-05-10 04:38 . 2010-05-10 04:38 43646 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_D707CE1C009F1381803C2C.exe 2010-05-10 04:38 . 2010-05-10 04:38 43646 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_33E47820CFD4F5D3775329.exe 2010-05-10 04:38 . 2010-05-10 04:38 43646 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_25E0DDF4BB5DA2E0BB26B4.exe 2010-05-10 04:38 . 2010-05-10 04:38 43646 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_21F3885A18D238E15AAE81.exe 2010-05-10 04:38 . 2010-05-10 04:38 29926 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_EABE28F7A0A98A84188A78.exe 2010-05-10 04:38 . 2010-05-10 04:38 109534 ----a-r- c:\documents and settings\Sandeep\Application Data\Microsoft\Installer\{DB35267F-B5C6-495C-8407-75ADC34E759D}\_6FEFF9B68218417F98F549.exe 2010-05-10 04:38 . 2010-05-10 04:38 -------- d-----w- c:\program files\Macrium 2010-05-10 03:17 . 2010-05-10 03:17 -------- d-----w- c:\documents and settings\Sandeep\Local Settings\Application Data\Deployment 2010-05-10 02:14 . 2010-05-10 02:14 -------- d-----w- c:\windows\system32\NtmsData 2010-05-09 17:47 . 2010-05-09 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrium 2010-04-26 20:45 . 2010-05-10 01:40 -------- d-----w- c:\documents and settings\Sandeep\Application Data\Copernic 2010-04-26 20:45 . 2010-04-26 20:45 -------- d-----w- c:\documents and settings\Sandeep\Local Settings\Application Data\Copernic 2010-04-19 01:42 . 2005-06-06 14:29 110592 ----a-w- c:\documents and settings\Sandeep\Application Data\U3\temp\cleanup.exe 2010-04-19 01:42 . 2010-04-19 01:42 -------- d-----w- c:\documents and settings\Sandeep\Application Data\U3 2010-04-15 12:50 . 2010-03-26 14:33 1496064 ----a-w- c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2010-04-15 12:50 . 2010-03-26 14:33 43008 ----a-w- c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2010-04-15 12:50 . 2010-03-26 14:33 339456 ----a-w- c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2010-04-15 12:50 . 2010-03-26 14:32 346112 ----a-w- c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2010-04-15 02:10 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-12 14:06 . 2010-01-14 17:50 -------- d-----w- c:\documents and settings\Sandeep\Application Data\mjusbsp 2010-05-12 13:48 . 2009-12-03 21:12 -------- d-----w- c:\program files\Google 2010-05-12 04:20 . 2009-12-04 03:06 -------- d-----w- c:\program files\Lavasoft 2010-05-10 03:26 . 2010-01-12 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2010-05-08 15:49 . 2010-03-23 02:13 -------- d-----w- c:\program files\Common Files\Apple 2010-05-08 02:22 . 2010-03-23 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-04-12 02:50 . 2010-04-12 02:50 -------- d-----w- c:\program files\WinSplit 2010-04-09 12:06 . 2009-12-03 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2010-04-08 11:15 . 2010-04-08 11:15 -------- d-----w- c:\documents and settings\Sandeep\Application Data\Lavasoft 2010-04-02 06:41 . 2009-12-03 20:43 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-03-28 10:06 . 2010-03-28 10:06 55884 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-23 02:17 . 2010-03-23 02:16 -------- d-----w- c:\documents and settings\Sandeep\Application Data\Apple Computer 2010-03-23 02:15 . 2010-03-23 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-03-23 02:15 . 2010-03-23 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer 2010-03-23 02:14 . 2010-03-23 02:14 -------- d-----w- c:\program files\Bonjour 2010-03-23 02:14 . 2010-03-23 02:14 -------- d-----w- c:\program files\QuickTime 2010-03-23 02:13 . 2010-03-23 02:13 -------- d-----w- c:\program files\Apple Software Update 2010-03-22 12:17 . 2010-03-21 04:24 -------- d-----w- c:\program files\Reliance Netconnect 2010-03-17 13:51 . 2010-03-17 13:51 15328 ----a-w- c:\windows\system32\drivers\pssnap.sys 2010-03-17 13:51 . 2010-03-17 13:51 44512 ----a-w- c:\windows\system32\drivers\psmounter.sys 2010-03-11 12:38 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll 2010-03-11 12:38 . 2004-08-04 10:00 78336 ------w- c:\windows\system32\ieencode.dll 2010-03-11 12:38 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll 2010-03-09 11:09 . 2004-08-04 10:00 430080 ----a-w- c:\windows\system32\vbscript.dll 2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\ug00000\magicJack.dll 2010-02-26 23:51 . 2010-03-02 13:22 6870864 ---ha-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\Upgrade\setup2.exe 2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\ug00000\setup.exe 2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\magicJackLoader.exe 2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\octvqe1_apiw.dll 2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\TjVista.dll 2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\TjIpSys.dll 2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\SJHandsetMagicJack.dll 2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\st00000\mjsetup.exe 2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\st00000\magicJack.dll 2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\magicJack.dll 2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\magicJack.exe 2010-02-26 23:45 . 2010-03-02 13:22 743872 ---ha-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\Upgrade\install2.exe 2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\ug00000\install.exe 2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\in00000\mjsetup.exe 2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\in00000\magicJack.dll 2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\lr00000\magicJack.dll 2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\ug00000\magicJackSplash.exe 2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\st00000\magicJackSplash.exe 2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\magicJackSplash.exe 2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\in00000\magicJackSplash.exe 2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Sandeep\Application Data\mjusbsp\cdloader2.exe 2010-02-24 12:31 . 2004-08-04 10:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 17:35 . 2005-03-30 01:21 2143744 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 16:57 . 2005-03-30 01:01 2021888 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 14:37 . 2010-02-12 14:37 15341 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat 2010-02-12 14:36 . 2010-02-12 06:54 5640880 ----a-w- c:\windows\system32\SpoonUninstall.exe 2010-02-12 14:34 . 2010-02-12 07:17 2180 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat 2010-02-12 07:26 . 2009-12-04 19:49 38784 ----a-w- c:\documents and settings\Sandeep\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-02-12 07:24 . 2010-02-12 07:24 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2010-02-12 06:54 . 2010-02-12 06:54 1927 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Real Audio Codec.dat 2010-02-12 04:47 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-04 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216] "cdloader"="c:\documents and settings\Sandeep\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520] "Adobe Reader Synchronizer"="c:\program files\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe" [2009-12-22 542168] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-15 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-15 166424] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-15 137752] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592] "SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-22 2046816] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-08-31 996616] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-3 1153824] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-12-03 23:12 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "d:\\Software Download\\Installed\\eblitz\\PDFEdit.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\BitTorrent\\btdownloadgui.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Documents and Settings\\Sandeep\\Application Data\\mjusbsp\\magicJack.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/12/2010 12:26 AM 64288] R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [3/17/2010 9:51 AM 15328] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/3/2009 7:10 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/3/2009 7:10 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/3/2009 7:12 PM 297752] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544] R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [3/17/2010 9:51 AM 220128] R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 3:45 PM 31896] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 3:30 AM 135664] S3 bsusbser;Basecom USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\bsusbser.sys --> c:\windows\system32\DRIVERS\bsusbser.sys [?] S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [3/17/2010 9:51 AM 44512] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] vvdsvc REG_MULTI_SZ vvdsvc . Contents of the 'Scheduled Tasks' folder 2010-05-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:26] 2010-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2010-05-10 c:\windows\Tasks\E Directory Backup xml.job - c:\program files\Macrium\Reflect\reflect.exe [2010-03-17 13:45] 2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 07:30] 2010-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 07:30] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.iwon.com/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - FF - ProfilePath - c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\ FF - component: c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Sandeep\Application Data\Mozilla\Firefox\Profiles\61p26v4u.default\extensions\[email protected]\plugins\npTVUAx.dll FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKCU-Run-MyWirelessCard - c:\program files\Micromax\MMX372G\WirelessCard.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2010-05-12 11:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1801674531-308236825-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "eaopdhiojk"=hex:66,61,69,61,6f,6c,70,6c,67,6b,66,6f,00,31 "dalaoifb"=hex:64,62,6b,6f,6a,6e,67,68,6e,65,6a,6f,6e,69,6e,65,63,6c,69,67,66, 6e,6b,70,70,6d,66,62,68,70,6c,65,6b,68,6c,67,69,6e,66,64,00,00 "iagnpocncdjihbofnn"=hex:69,61,68,6d,6e,64,65,62,68,6e,6a,61,69,6b,6f,62,6b,61, 00,00 "haaojopghbenalci"=hex:6a,61,66,6e,63,6e,6d,62,6c,6a,64,68,6c,6a,69,66,6c,70, 6c,6c,00,d0 [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="04F0D21-79D8-7A25-D702-433F" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(884) c:\windows\System32\BCMLogon.dll . Completion time: 2010-05-12 11:16:41 ComboFix-quarantined-files.txt 2010-05-12 15:16 Pre-Run: 48,483,545,088 bytes free Post-Run: 50,582,724,608 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - D4F482184BFF8AA088F3AF8366652103
  2. [quote name='jaisa01' post='119505' date='May 12 2010, 03:39 PM']No my system doesn't boot after I ran Avenger, it's in a continous loop shows booting then again restarts[/quote] I booted in Safe more and here is the avenger log Logfile of The Avenger Version 2.0, © by Swandog46 [url="http://swandog46.geekstogo.com"]http://swandog46.geekstogo.com[/url] Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Driver "bvlbjcd" deleted successfully. Error: file "C:\WINDOWS\system32\fszas.dll" not found! Deletion of file "C:\WINDOWS\system32\fszas.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate.
  3. [quote name='Rorschach112' post='119503' date='May 12 2010, 02:35 PM']whatever external media you have been using on this PC need to be formatted as they are infected 1. Please [b]download[/b] [url="http://swandog46.geekstogo.com/avenger2/download.php"][b][color="#CC0000"]The Avenger[/color][/b][/url] by Swandog46 to your [b]Desktop[/b].[list] [*]Right click on the Avenger.zip folder and select "Extract All..." [*]Follow the prompts and extract the [b]Avenger[/b] folder to your desktop [*]Make sure that the box next to [b]Scan for rootkits[/b] has a tick in it and that the box next to [b]Automatically disable any rootkits found[/b] does not have a tick in it. [/list]2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing ([b]Ctrl+C[/b]): [code]Begin copying here: Drivers to delete: bvlbjcd Files to delete: C:\WINDOWS\system32\fszas.dll[/code] [i][b] [color="#CC0000"]Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.[/color][/b][/i] 3. Now, open the avenger folder and [b]start The Avenger program[/b] by clicking on its icon.[list] [*]Right click on the window under [b]Input script here:[/b], and select Paste. [*]You can also click on this window and press ([b]Ctrl+V[/b]) to paste the contents of the clipboard. [*]Click on [b]Execute[/b] [*]Answer "[b]Yes[/b]" twice when prompted. [/list]4. [b]The Avenger will automatically do the following[/b]:[list] [*]It will [b][u]Restart your computer[/u][/b]. ( In cases where the code to execute contains "[b]Drivers to Delete[/b]", The Avenger will actually [b]restart your system [u]twice[/u].[/b]) [*]On reboot, it will briefly [b]open a black command window[/b] on your desktop, this is normal. [*]After the restart, it [b][u]creates a log file[/u][/b] that should open with the results of Avenger’s actions. This log file will be located at [b]C:\avenger.txt[/b] [*]The Avenger will also have [b][u]backed up all the files, etc., that you asked it to delete[/u][/b], and will have zipped them and moved the zip archives to [b]C:\avenger\backup.zip[/b]. [/list]5. Please [b]copy/paste[/b] the content of [b]c:\avenger.txt[/b] into your reply Download ComboFix here : [url="http://download.bleepingcomputer.com/sUBs/ComboFix.exe"][b][color="blue"]Link 1[/color][/b][/url] [url="http://www.forospyware.com/sUBs/ComboFix.exe"][b][color="blue"]Link 2[/color][/b][/url] [color="purple"][b]* IMPORTANT !!! Save ComboFix.exe to your Desktop[/b][/color][list] [*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them [url="http://www.bleepingcomputer.com/forums/topic114351.html"][b]Click me[/b][/url] [*]Double click on ComboFix.exe & follow the prompts. [*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. [/list][color="blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color] [center][img]http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif[/img][/center] Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png[/img] Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the [b]C:\ComboFix.txt[/b] log in your next reply.[/quote] No my system doesn't boot after I ran Avenger, it's in a continous loop shows booting then again restarts
  4. Here is my GMER log: GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2010-05-12 04:05:53 Windows 5.1.2600 Service Pack 2 Running: gmer.exe; Driver: C:\DOCUME~1\Sandeep\LOCALS~1\Temp\pxtdypob.sys ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0096000A .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0097000A .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 3 Bytes JMP 0095000C .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher + 4 7C90E480 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1228] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0212000A .text C:\WINDOWS\System32\svchost.exe[1228] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 017B000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BF000C .text C:\WINDOWS\system32\SearchIndexer.exe[3200] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3BFEE4 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] bvlbjcd <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Support Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain. Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Support Driver Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 32 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 2 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\[email protected]bjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain. Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@eaopdhiojk 0x66 0x61 0x69 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@dalaoifb 0x64 0x62 0x6B 0x6F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@iagnpocncdjihbofnn 0x69 0x61 0x68 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@haaojopghbenalci 0x6A 0x61 0x66 0x6E ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  5. [quote name='jaisa01' post='119498' date='May 12 2010, 07:33 AM']Anyone have solution for this. All my google links are being redirected by cl01cl10cl01.com to other places. Apparently no solutions so far. Anyone know what to do?[/quote] I did run the scan. Here is the log: GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2010-05-12 04:05:53 Windows 5.1.2600 Service Pack 2 Running: gmer.exe; Driver: C:\DOCUME~1\Sandeep\LOCALS~1\Temp\pxtdypob.sys ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA11887E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA118BFE] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xBA670814] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA000A .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DB000A .text C:\Program Files\Internet Explorer\iexplore.exe[520] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[520] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0096000A .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0097000A .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 3 Bytes JMP 0095000C .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher + 4 7C90E480 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1228] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0212000A .text C:\WINDOWS\System32\svchost.exe[1228] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 017B000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C0000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BF000C .text C:\WINDOWS\system32\SearchIndexer.exe[3200] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BF000A .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A .text C:\WINDOWS\system32\wuauclt.exe[3848] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BE000C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[2844] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3BFEE4 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] bvlbjcd <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Support Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain. Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Support Driver Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 32 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 2 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0 Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Maintains links between NTFS files within a computer or across computers in a network domain. Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\bvlbjcd\[email protected] C:\WINDOWS\system32\fszas.dll Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@eaopdhiojk 0x66 0x61 0x69 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@dalaoifb 0x64 0x62 0x6B 0x6F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@iagnpocncdjihbofnn 0x69 0x61 0x68 0x6D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{60E1EC27-0A4C-C953-AA4A-FF271540B8A6}@haaojopghbenalci 0x6A 0x61 0x66 0x6E ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
  6. Anyone have solution for this. All my google links are being redirected by cl01cl10cl01.com to other places. Apparently no solutions so far. Anyone know what to do?