Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google results redirected


  • This topic is locked This topic is locked
24 replies to this topic

#1 Moginheden

Moginheden

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 29 March 2009 - 12:31 PM

Hello,

I'm fairly computer savy. I've worked both on a helpdesk and going out to people's homes to fix their computers so I should have been able to fix this problem on my own... but I'm stumped.

Description of issue:

When I do a Google search sometimes my search results will be redirected. Quite often I'm clicking on a Wikipedia entry, (although it affects other sites too including this one, but for some reason Wikipedia seems the most common to be affected.) On the results page everything looks normal, the title, description, green line with the address, and status bar all show the correct information. When I click on the link I do not get directed to my desired site instead I get directed to an address like the following:



---OR---



---OR---




The websearchmaster one is the most common by far.

If I go back, and click on the exact same link I get redirected again, if I go back a 2nd time again redirected, however if I go back a 3rd time I get directed to and if I go back a 4th time and click on the same link I finally get to the site I was asking for in the first place.

What I have tried:
I have Kaspersky Internet Security 2009 (paid), SUPERAntiSpyware (free), Ad-Aware (free), and Malwarebytes' Anti-Malware (free) all installed, (only Kaspersky is always running the others are only used for manual scans) I updated each of them and ran their full scans setting them to scan everything not just common locations. None of them return any infections, (except for cookies that I removed.)

I read this topic as it seemed similar to my issue: I do not have the files C:\WINDOWS\system32\sysaudio.sys or C:\Windows\System32\ntnet.drv on my computer. In my registry the key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\aux has the value ctwdm32.dll and the key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32\aux1 has the value wdmaud.drv I'm not sure what these are so I haven't changed them.

I ran the online scanner housecall.trendmicro.com and it did not detect any malware or viruses. Although it did complain about me having tools like netcat, and VNC... I use them to test the websites I maintain.

I have altered my hosts file to redirect the fake sites to 127.0.0.1 and now get page cannot be displayed instead of advertising but I still don't get the correct site without retrying multiple times.

I have run ipconfig /flushdns

I have uninstalled and reinstalled the latest version of Adobe Reader and Java

I have run the dds.scr file, as requested by http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ here is the log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by DrdLord at 11:21:55.28 on 29/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2302.1666 [GMT -6:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Gmail Notifier\gnotify.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\DrdLord\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\gmail notifier\gnotify.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://ushousecall02.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1223016598749
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.55.128.1
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\drdlord\applic~1\mozilla\firefox\profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-24 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-28 213520]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-3-23 216552]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-1-31 33256]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-03-29 11:20 --d----- c:\program files\Sun
2009-03-29 11:20 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-28 22:14 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-28 22:14 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-28 22:13 5,913,632 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-28 22:13 499,744 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-28 22:13 51,472 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-28 22:13 4,884 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-28 22:13 --d----- c:\program files\Kaspersky Lab
2009-03-28 22:13 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-03-28 22:09 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-28 22:06 --d----- c:\windows\pss
2009-03-28 21:42 a-dshr-- C:\cmdcons
2009-03-28 21:41 161,792 a------- c:\windows\SWREG.exe
2009-03-28 21:41 98,816 a------- c:\windows\sed.exe
2009-03-27 17:12 2,736,890 a------- c:\windows\system32\GameMon.des
2009-03-24 00:09 --d----- c:\docume~1\drdlord\applic~1\HouseCall 6.6
2009-03-24 00:09 --d----- c:\windows\system32\HouseCall 6.6
2009-03-23 21:40 477,266 -------- c:\windows\system32\vfhr.exe
2009-03-20 11:38 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-03-20 11:38 --d----- c:\windows\PrimoPDF4
2009-03-20 11:38 --d----- c:\program files\activePDF
2009-03-19 09:08 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-19 09:08 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-15 15:23 --d----- c:\windows\system32\Adobe
2009-03-12 23:56 1,324 a------- c:\windows\system32\d3d9caps.dat
2009-03-03 22:26 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-03-03 22:26 118,520 -------- c:\windows\system32\pxinsi64.exe

==================== Find3M ====================

2009-03-29 11:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-28 22:27 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-23 15:30 33,256 a------- c:\windows\system32\drivers\hssdrv.sys
2009-02-24 21:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-24 21:28 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-08-12 00:34 94,080 a------- c:\docume~1\drdlord\applic~1\ezplay.sys
2008-08-12 00:34 87,608 a------- c:\docume~1\drdlord\applic~1\ezpinst.exe
2008-08-12 00:34 47,360 a------- c:\docume~1\drdlord\applic~1\pcouffin.sys
2007-08-10 06:10 36,864 a------- c:\program files\3wdecoder.exe
2008-10-04 15:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 11:22:43.92 ===============

Edited by Orange Blossom, 29 March 2009 - 01:14 PM.
Deactivate malicious links and removed codebox tags for ease of reading. ~ OB


BC AdBot (Login to Remove)

 


#2 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 30 March 2009 - 06:55 PM

I forgot to attach the attach.txt, fixed.

Attached Files



#3 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 01 April 2009 - 08:50 PM

I'm still experiencing this issue. My post was on page 22, should I be bumping it so it gets attention?

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:05 AM

Posted 07 April 2009 - 12:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 10 April 2009 - 01:45 PM

odd I didn't get an email notifying of a reply to this topic. I'm still experiencing the issue.

new DDS.txt:


DDS (Ver_09-03-16.01) - NTFSx86
Run by DrdLord at 12:42:10.34 on 10/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2302.1772 [GMT -6:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\DrdLord\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\gmail notifier\gnotify.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://ushousecall02.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1223016598749
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.13.240.1
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\drdlord\applic~1\mozilla\firefox\profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-24 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-28 213520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-3-23 216552]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-1-31 33256]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-04-07 18:17 <DIR> --d----- c:\program files\CCleaner
2009-03-29 12:41 <DIR> --d----- c:\program files\Norton Security Scan
2009-03-29 11:20 <DIR> --d----- c:\program files\Sun
2009-03-29 11:20 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-28 22:14 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-28 22:14 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-28 22:13 5,953,056 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-28 22:13 524,320 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-28 22:13 51,780 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-28 22:13 4,968 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-28 22:13 <DIR> --d----- c:\program files\Kaspersky Lab
2009-03-28 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-03-28 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-28 22:06 <DIR> --d----- c:\windows\pss
2009-03-28 21:42 <DIR> a-dshr-- C:\cmdcons
2009-03-28 21:41 161,792 a------- c:\windows\SWREG.exe
2009-03-28 21:41 98,816 a------- c:\windows\sed.exe
2009-03-27 17:12 2,736,890 a------- c:\windows\system32\GameMon.des
2009-03-24 00:09 <DIR> --d----- c:\docume~1\drdlord\applic~1\HouseCall 6.6
2009-03-24 00:09 <DIR> --d----- c:\windows\system32\HouseCall 6.6
2009-03-23 21:40 477,266 -------- c:\windows\system32\vfhr.exe
2009-03-20 11:38 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-03-20 11:38 <DIR> --d----- c:\windows\PrimoPDF4
2009-03-20 11:38 <DIR> --d----- c:\program files\activePDF
2009-03-19 09:08 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-19 09:08 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-15 15:23 <DIR> --d----- c:\windows\system32\Adobe
2009-03-12 23:56 1,324 a------- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 12:18 33,256 a------- c:\windows\system32\drivers\hssdrv.sys
2009-03-29 11:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-28 22:27 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-02-24 21:28 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-24 21:28 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-08-12 00:34 94,080 a------- c:\docume~1\drdlord\applic~1\ezplay.sys
2008-08-12 00:34 87,608 a------- c:\docume~1\drdlord\applic~1\ezpinst.exe
2008-08-12 00:34 47,360 a------- c:\docume~1\drdlord\applic~1\pcouffin.sys
2007-08-10 06:10 36,864 a------- c:\program files\3wdecoder.exe
2008-10-04 15:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 12:42:26.90 ===============

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 10 April 2009 - 03:26 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#7 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 10 April 2009 - 08:59 PM

When I ran combofix it rebooted my computer and Kaspersky came back on when I booted up. It blocked some part of combo fix and made combofix hang. 30 minutes later with nothing happening I tried to end it and it wouldn't close so I rebooted again and disabled Kaspersky from starting on bootup.

I then re-ran combofix and here is it's log:


ComboFix 09-04-04.01 - DrdLord 2009-04-10 19:09:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1884 [GMT -6:00]
Running from: c:\documents and settings\DrdLord\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-07 18:17 . 2009-04-07 18:17 <DIR> d-------- c:\program files\CCleaner
2009-03-29 12:41 . 2009-03-29 18:01 <DIR> d-------- c:\program files\Norton Security Scan
2009-03-29 11:20 . 2009-03-29 11:20 <DIR> d-------- c:\program files\Sun
2009-03-29 11:20 . 2009-03-29 11:19 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-28 22:14 . 2009-03-28 22:27 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-28 22:14 . 2009-03-28 22:27 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-28 22:13 . 2009-03-28 22:13 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-28 22:13 . 2009-04-10 18:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-28 22:13 . 2009-04-10 19:07 5,953,056 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-28 22:13 . 2009-04-10 19:07 524,320 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-28 22:13 . 2009-04-10 19:07 51,780 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-28 22:13 . 2009-04-10 19:07 4,968 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-28 22:09 . 2009-03-28 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-28 21:58 . 2009-03-28 22:13 <DIR> d-------- c:\program files\NOS
2009-03-28 21:58 . 2009-03-28 22:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-27 17:12 . 2009-02-25 10:11 2,736,890 --a------ c:\windows\system32\GameMon.des
2009-03-24 00:09 . 2009-03-24 00:09 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2009-03-24 00:09 . 2009-03-24 00:09 <DIR> d-------- c:\documents and settings\DrdLord\Application Data\HouseCall 6.6
2009-03-23 21:40 . 2009-03-23 21:41 477,266 --------- c:\windows\system32\vfhr.exe
2009-03-20 18:40 . 2009-03-20 18:47 <DIR> d-------- c:\documents and settings\DrdLord\Application Data\Move Networks
2009-03-20 11:38 . 2009-03-20 11:38 <DIR> d-------- c:\windows\PrimoPDF4
2009-03-20 11:38 . 2009-03-20 11:38 <DIR> d-------- c:\program files\activePDF
2009-03-20 11:38 . 2006-12-11 14:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2009-03-19 09:08 . 2009-03-19 09:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-19 09:08 . 2009-03-19 09:08 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-15 15:23 . 2009-03-29 09:37 <DIR> d-------- c:\windows\system32\Adobe
2009-03-12 23:56 . 2009-03-12 23:56 1,324 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 01:10 --------- d-----w c:\program files\PeerGuardian2
2009-04-09 00:53 --------- d-----w c:\program files\Hotspot Shield
2009-04-08 00:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 21:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 33,256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-04-02 01:36 --------- d-----w c:\documents and settings\DrdLord\Application Data\Azureus
2009-03-29 17:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 17:19 --------- d-----w c:\program files\Java
2009-03-29 08:39 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-29 07:07 --------- d-----w c:\program files\Winamp
2009-03-29 04:27 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-29 04:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 04:03 --------- d-----w c:\program files\Common Files\Adobe
2009-03-29 03:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 02:24 --------- d-----w c:\program files\Azureus
2009-03-04 04:26 --------- d-----w c:\program files\DivX
2009-02-25 05:53 --------- d-----w c:\documents and settings\DrdLord\Application Data\Malwarebytes
2009-02-25 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 03:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 03:48 --------- d-----w c:\documents and settings\DrdLord\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 03:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-25 03:28 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-02-25 03:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 03:26 --------- d-----w c:\program files\Lavasoft
2009-02-19 03:00 --------- d-----w c:\program files\Gspot
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-08-12 06:34 94,080 ----a-w c:\documents and settings\DrdLord\Application Data\ezplay.sys
2008-08-12 06:34 87,608 ----a-w c:\documents and settings\DrdLord\Application Data\ezpinst.exe
2008-08-12 06:34 47,360 ----a-w c:\documents and settings\DrdLord\Application Data\pcouffin.sys
2007-08-10 12:10 36,864 ----a-w c:\program files\3wdecoder.exe
2008-10-04 21:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_18.31.54.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-11 01:08:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-23 18:42 215528 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.exe" [2008-09-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update Utility"="\\?\globalroot\systemroot\system32\vfhr.exe" [?]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-24 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [2009-03-23 216552]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-01-31 33256]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.8.208.1
FF - ProfilePath - c:\documents and settings\DrdLord\Application Data\Mozilla\Firefox\Profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 19:10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,17,0e,13,02,f1,09,19,d2,27,39,38,95,07,5f,b2,c4,da,4b,82,99,c1,53,
58,43,11,d0,f2,80,c7,47,53,1e,09,b6,18,90,9f,7d,47,0b,b8,8e,80,dc,24,d5,57,\
"??"=hex:a0,6b,7f,94,53,4b,37,aa,9b,19,1c,4e,fa,5f,62,72
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(272)
c:\windows\system32\nvLsp.dll
.
Completion time: 2009-04-10 19:10:53
ComboFix-quarantined-files.txt 2009-04-11 01:10:51

Pre-Run: 2,404,577,280 bytes free
Post-Run: 2,387,529,728 bytes free

173 --- E O F --- 2009-03-16 05:12:18




GMER log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-10 19:31:13
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA97BA72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA97C01E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA97DA82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA97D438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA97B1E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA97F3E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA97BE1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA97B62A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA97B82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA97D744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA97F8F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA97B940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA97B9A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA97D5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA97EEA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA97D294]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA97B34A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA97BC40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA97F40E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA97BB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA97BA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA97B714]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA97B4F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA97F110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA97AE6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA97E30C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA97AFCC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA97F7C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA97AC68]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA97D924]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA97BF18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA97EFA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA97F438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA97B3A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA97F51C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA97F648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA97EDD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA97BCEA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA97BD5C]

INT 0x62 ? 8A789BF8
INT 0x63 ? 8A78CBF8
INT 0xA4 ? 8A528BF8
INT 0xB4 ? 8A78CBF8

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code \??\C:\DOCUME~1\DrdLord\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP AA9921E8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP AA9925A2 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C68 80504504 4 Bytes CALL 12FADCBA
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [1C, F5, 97, AA, 48, F6, 97, ...] {SBB AL, 0xf5; XCHG EDI, EAX; STOSB ; DEC EAX; NOT BYTE [EDI-0x68122b56]; STOSB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504864 4 Bytes JMP A4AA97BC
? spht.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B84148AC 5 Bytes JMP 8A5281D8
.text afatggtc.SYS B81F8384 1 Byte [20]
.text afatggtc.SYS B81F8384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text afatggtc.SYS B81F83AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text afatggtc.SYS B81F83C4 3 Bytes [00, 00, 00]
.text afatggtc.SYS B81F83C9 1 Byte [00]
.text ...
? C:\DOCUME~1\DrdLord\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spht.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spht.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spht.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spht.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spht.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spht.sys
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [B9FCC530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [B9FCC530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7191F8

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbohci \Device\USBPDO-0 8A5271F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A71B1F8
Device \Driver\usbehci \Device\USBPDO-1 8A5221F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{769F75EC-16FC-4DD3-9543-0562D226F534} 89D74500
Device \Driver\PCI_PNP8382 \Device\00000055 spht.sys

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A78A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A78A1F8
Device \Driver\Cdrom \Device\CdRom0 8A482458
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A78A1F8
Device \Driver\Cdrom \Device\CdRom1 8A482458
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A78A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A78A1F8
Device \Driver\sptd \Device\4123683382 spht.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D74500
Device \Driver\NetBT \Device\NetbiosSmb 89D74500

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbohci \Device\USBFDO-0 8A5271F8
Device \Driver\usbehci \Device\USBFDO-1 8A5221F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D98500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D98500
Device \Driver\NetBT \Device\NetBT_Tcpip_{0B6310FD-9B0F-46FC-B258-7473AEE85E2B} 89D74500
Device \Driver\Ftdisk \Device\FtControl 8A78A1F8
Device \Driver\afatggtc \Device\Scsi\afatggtc1Port5Path0Target0Lun0 8A417500
Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path1Target1Lun0 8A71A1F8
Device \Driver\afatggtc \Device\Scsi\afatggtc1 8A417500
Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path0Target0Lun0 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts3 8A71A1F8
Device \FileSystem\Cdfs \Cdfs 8A2821F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xE2 0x4D 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x07 0x8D 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xE2 0x4D 0xBA ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\config\SYSTEM.LOG (size mismatch) 1024/28672 bytes

---- EOF - GMER 1.0.15 ----

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 11 April 2009 - 08:38 AM

Hello.

Looks like the infection was removed.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    File::
    c:\windows\system32\vfhr.exe
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update Utility"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Install From Windows Updates
Whenever a security problem in its software is found, Microsoft will create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malware being installed on your computer.

Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please reboot and repeat this process until there are no more updates to install.

Please give me an update ont he symptoms.

With Regards,
The Panda

#9 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 11 April 2009 - 01:47 PM

An infection might have been removed but the original problem remains. My searches are still getting redirected even after running combofix with the script and updating windows.

Here is combofix's new output:

ComboFix 09-04-04.01 - DrdLord 2009-04-11 12:40:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1817 [GMT -6:00]
Running from: c:\documents and settings\DrdLord\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DrdLord\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\vfhr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\vfhr.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-07 18:17 . 2009-04-07 18:17 <DIR> d-------- c:\program files\CCleaner
2009-03-29 12:41 . 2009-03-29 18:01 <DIR> d-------- c:\program files\Norton Security Scan
2009-03-29 11:20 . 2009-03-29 11:20 <DIR> d-------- c:\program files\Sun
2009-03-29 11:20 . 2009-03-29 11:19 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-28 22:14 . 2009-03-28 22:27 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-28 22:14 . 2009-03-28 22:27 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-28 22:13 . 2009-03-28 22:13 <DIR> d-------- c:\program files\Kaspersky Lab
2009-03-28 22:13 . 2009-04-10 20:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-28 22:13 . 2009-04-10 19:07 5,953,056 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-28 22:13 . 2009-04-10 19:07 524,320 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-28 22:13 . 2009-04-10 19:07 51,780 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-28 22:13 . 2009-04-10 19:07 4,968 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-28 22:09 . 2009-03-28 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-28 21:58 . 2009-03-28 22:13 <DIR> d-------- c:\program files\NOS
2009-03-28 21:58 . 2009-03-28 22:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-03-27 17:12 . 2009-02-25 10:11 2,736,890 --a------ c:\windows\system32\GameMon.des
2009-03-24 00:09 . 2009-03-24 00:09 <DIR> d-------- c:\windows\system32\HouseCall 6.6
2009-03-24 00:09 . 2009-03-24 00:09 <DIR> d-------- c:\documents and settings\DrdLord\Application Data\HouseCall 6.6
2009-03-20 18:40 . 2009-03-20 18:47 <DIR> d-------- c:\documents and settings\DrdLord\Application Data\Move Networks
2009-03-20 11:38 . 2009-03-20 11:38 <DIR> d-------- c:\windows\PrimoPDF4
2009-03-20 11:38 . 2009-03-20 11:38 <DIR> d-------- c:\program files\activePDF
2009-03-20 11:38 . 2006-12-11 14:12 176,235 --a------ c:\windows\system32\Primomonnt.dll
2009-03-19 09:08 . 2009-03-19 09:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-19 09:08 . 2009-03-19 09:08 348,160 --a------ c:\windows\system32\msvcr71.dll
2009-03-15 15:23 . 2009-03-29 09:37 <DIR> d-------- c:\windows\system32\Adobe
2009-03-12 23:56 . 2009-03-12 23:56 1,324 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 01:14 --------- d-----w c:\program files\PeerGuardian2
2009-04-09 00:53 --------- d-----w c:\program files\Hotspot Shield
2009-04-08 00:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 21:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 33,256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-04-02 01:36 --------- d-----w c:\documents and settings\DrdLord\Application Data\Azureus
2009-03-29 17:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 17:19 --------- d-----w c:\program files\Java
2009-03-29 08:39 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-29 07:07 --------- d-----w c:\program files\Winamp
2009-03-29 04:27 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-29 04:12 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 04:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 04:03 --------- d-----w c:\program files\Common Files\Adobe
2009-03-29 03:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 02:24 --------- d-----w c:\program files\Azureus
2009-03-04 04:26 --------- d-----w c:\program files\DivX
2009-02-25 05:53 --------- d-----w c:\documents and settings\DrdLord\Application Data\Malwarebytes
2009-02-25 05:53 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 03:48 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 03:48 --------- d-----w c:\documents and settings\DrdLord\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 03:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-25 03:28 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-02-25 03:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 03:26 --------- d-----w c:\program files\Lavasoft
2009-02-19 03:00 --------- d-----w c:\program files\Gspot
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-08-12 06:34 94,080 ----a-w c:\documents and settings\DrdLord\Application Data\ezplay.sys
2008-08-12 06:34 87,608 ----a-w c:\documents and settings\DrdLord\Application Data\ezpinst.exe
2008-08-12 06:34 47,360 ----a-w c:\documents and settings\DrdLord\Application Data\pcouffin.sys
2007-08-10 12:10 36,864 ----a-w c:\program files\3wdecoder.exe
2008-10-04 21:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100420081005\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-10_18.31.54.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-11 01:08:36 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-23 18:42 215528 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.exe" [2008-09-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-24 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-02-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [2009-03-23 216552]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-01-31 33256]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
*NewlyCreated* - WDAAXLAJ
*Deregistered* - wdaaxlaj
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.8.208.1
FF - ProfilePath - c:\documents and settings\DrdLord\Application Data\Mozilla\Firefox\Profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 12:40:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,17,0e,13,02,f1,09,19,d2,27,39,38,95,07,5f,b2,c4,da,4b,82,99,c1,53,
58,43,11,d0,f2,80,c7,47,53,1e,09,b6,18,90,9f,7d,47,0b,b8,8e,80,dc,24,d5,57,\
"??"=hex:a0,6b,7f,94,53,4b,37,aa,9b,19,1c,4e,fa,5f,62,72
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(272)
c:\windows\system32\nvLsp.dll
.
Completion time: 2009-04-11 12:41:20
ComboFix-quarantined-files.txt 2009-04-11 18:41:19
ComboFix2.txt 2009-04-11 01:10:54

Pre-Run: 1,633,656,832 bytes free
Post-Run: 1,616,019,456 bytes free

182 --- E O F --- 2009-03-16 05:12:18

#10 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 11 April 2009 - 01:51 PM

It might not matter but the redirected searches seem to be going to random pages now not websearchmaster.net. Might be because combofix reset my hosts file so websearchmaster.net is no longer being directed to 127.0.0.1 and it could be forwarding me on to these other sites.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 12 April 2009 - 09:22 AM

Hello.

Pleaes run ComboFix again by clicking it and GMER scan as well. Post back with both logs.

With Regards,
The Panda

#12 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 12 April 2009 - 01:16 PM

Combofix didn't seem to find anything, (no reboot) but GMER did say it found a rootkit... the only red highlighted line was Kaspersky though. Here are the logs:

ComboFix 09-04-12.03 - DrdLord 2009-04-12 11:28.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1699 [GMT -6:00]
Running from: c:\documents and settings\DrdLord\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-12 to 2009-04-12 )))))))))))))))))))))))))))))))
.

2009-04-08 00:17 . 2009-04-08 00:17 -------- d-----w c:\program files\CCleaner
2009-03-29 18:41 . 2009-03-30 00:01 -------- d-----w c:\program files\Norton Security Scan
2009-03-29 17:20 . 2009-03-29 17:20 -------- d-----w c:\program files\Sun
2009-03-29 17:20 . 2009-03-29 17:19 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-03-29 04:14 . 2009-03-29 04:27 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-03-29 04:14 . 2009-03-29 04:27 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-03-29 04:13 . 2009-04-12 17:28 532512 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-29 04:13 . 2009-04-12 17:28 4996 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-29 04:13 . 2009-04-11 18:55 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-29 04:13 . 2009-04-11 01:07 5953056 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-29 04:13 . 2009-04-11 01:07 51780 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-29 04:13 . 2009-03-29 04:13 -------- d-----w c:\program files\Kaspersky Lab
2009-03-29 04:09 . 2009-03-29 04:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-29 03:58 . 2009-03-29 04:13 -------- d-----w c:\program files\NOS
2009-03-29 03:58 . 2009-03-29 04:13 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-29 03:41 . 2000-08-31 14:00 89504 ----a-w c:\windows\fdsv.exe
2009-03-27 23:12 . 2009-02-25 16:11 2736890 ----a-w c:\windows\system32\GameMon.des
2009-03-24 06:09 . 2009-03-24 06:09 -------- d-----w c:\documents and settings\DrdLord\Application Data\HouseCall 6.6
2009-03-24 06:09 . 2009-03-24 06:09 -------- d-----w c:\windows\system32\HouseCall 6.6
2009-03-21 00:40 . 2009-03-21 00:47 -------- d-----w c:\documents and settings\DrdLord\Application Data\Move Networks
2009-03-20 17:38 . 2006-12-11 20:12 176235 ----a-w c:\windows\system32\Primomonnt.dll
2009-03-20 17:38 . 2009-03-20 17:38 -------- d-----w c:\windows\PrimoPDF4
2009-03-20 17:38 . 2009-03-20 17:38 -------- d-----w c:\program files\activePDF
2009-03-19 15:08 . 2009-03-19 15:08 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-19 15:08 . 2009-03-19 15:08 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-15 21:23 . 2009-03-29 15:37 -------- d-----w c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 18:41 . 2009-04-11 18:41 12105 ----a-w C:\log.txt
2009-04-11 01:14 . 2008-05-03 04:24 -------- d-----w c:\program files\PeerGuardian2
2009-04-11 01:08 . 2009-03-29 08:29 2236 ----a-w C:\aaw7boot.log
2009-04-09 00:53 . 2009-01-18 06:15 -------- d-----w c:\program files\Hotspot Shield
2009-04-08 00:13 . 2009-02-25 05:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 21:32 . 2009-02-25 05:53 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2009-02-25 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-01-31 06:55 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-04-02 01:36 . 2008-05-05 05:02 -------- d-----w c:\documents and settings\DrdLord\Application Data\Azureus
2009-03-29 17:19 . 2008-09-06 22:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 17:19 . 2008-04-29 00:22 -------- d-----w c:\program files\Java
2009-03-29 08:39 . 2009-02-25 03:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-29 07:07 . 2008-09-07 03:26 -------- d-----w c:\program files\Winamp
2009-03-29 04:27 . 2008-01-30 00:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-29 04:12 . 2008-04-26 02:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 04:12 . 2008-04-26 02:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 04:03 . 2008-04-26 20:50 -------- d-----w c:\program files\Common Files\Adobe
2009-03-29 03:56 . 2008-04-25 05:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 02:24 . 2008-05-05 04:08 -------- d-----w c:\program files\Azureus
2009-03-04 04:26 . 2008-04-26 01:27 -------- d-----w c:\program files\DivX
2009-02-25 05:53 . 2009-02-25 05:53 -------- d-----w c:\documents and settings\DrdLord\Application Data\Malwarebytes
2009-02-25 05:53 . 2009-02-25 05:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 03:48 . 2009-02-25 03:48 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 . 2009-02-25 03:48 -------- d-----w c:\documents and settings\DrdLord\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 . 2008-04-26 22:07 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 03:28 . 2009-02-25 03:37 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-02-25 03:28 . 2009-02-25 03:28 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-25 03:26 . 2009-02-25 03:26 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 03:26 . 2008-05-18 06:47 -------- d-----w c:\program files\Lavasoft
2009-02-19 03:00 . 2009-02-19 03:00 -------- d-----w c:\program files\Gspot
2009-02-09 11:13 . 2004-08-03 21:17 1846784 ----a-w c:\windows\system32\win32k.sys
2008-08-12 06:34 . 2008-08-12 06:34 94080 ----a-w c:\documents and settings\DrdLord\Application Data\ezplay.sys
2008-08-12 06:34 . 2008-08-12 06:34 87608 ----a-w c:\documents and settings\DrdLord\Application Data\ezpinst.exe
2008-08-12 06:34 . 2008-08-12 06:34 47360 ----a-w c:\documents and settings\DrdLord\Application Data\pcouffin.sys
2007-08-10 12:10 . 2008-12-20 22:41 36864 ----a-w c:\program files\3wdecoder.exe
2009-04-11 01:07 . 2009-03-29 04:13 5953056 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-12 17:28 . 2009-03-29 04:13 532512 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-23 18:42 215528 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.exe" [2008-09-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-25 2736890]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-03-28 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-02-24 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [2009-03-23 216552]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\DRIVERS\HssDrv.sys [2009-04-03 33256]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
*NewlyCreated* - WDAAXLAJ
*Deregistered* - dump_wmimmc
*Deregistered* - wdaaxlaj
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.13.176.1
FF - ProfilePath - c:\documents and settings\DrdLord\Application Data\Mozilla\Firefox\Profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,17,0e,13,02,f1,09,19,d2,27,39,38,95,07,5f,b2,c4,da,4b,82,99,c1,53,
58,43,11,d0,f2,80,c7,47,53,1e,09,b6,18,90,9f,7d,47,0b,b8,8e,80,dc,24,d5,57,\
"??"=hex:a0,6b,7f,94,53,4b,37,aa,9b,19,1c,4e,fa,5f,62,72
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(272)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-12 11:30
ComboFix-quarantined-files.txt 2009-04-12 17:30
ComboFix2.txt 2009-04-11 18:41
ComboFix3.txt 2009-04-11 01:10

Pre-Run: 1,557,225,472 bytes free
Post-Run: 1,550,159,872 bytes free

181 --- E O F --- 2009-03-16 05:12





GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-12 12:14:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA97BA72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA97C01E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA97DA82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA97D438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA97B1E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA97F3E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA97BE1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA97B62A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA97B82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA97D744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA97F8F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA97B940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA97B9A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA97D5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA97EEA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA97D294]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA97B34A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA97BC40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA97F40E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA97BB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA97BA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA97B714]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA97B4F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA97F110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA97AE6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA97E30C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA97AFCC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA97F7C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA97AC68]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA97D924]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA97BF18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA97EFA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA97F438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA97B3A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA97F51C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA97F648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA97EDD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA97BCEA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA97BD5C]

INT 0x62 ? 8A789BF8
INT 0x63 ? 8A78CBF8
INT 0xA4 ? 8A528BF8
INT 0xB4 ? 8A78CBF8

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code \??\C:\DOCUME~1\DrdLord\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP AA9921E8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP AA9925A2 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C68 80504504 4 Bytes CALL 12FADCBA
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [1C, F5, 97, AA, 48, F6, 97, ...] {SBB AL, 0xf5; XCHG EDI, EAX; STOSB ; DEC EAX; NOT BYTE [EDI-0x68122b56]; STOSB }
.text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504864 4 Bytes JMP A4AA97BC
? spht.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B84148AC 5 Bytes JMP 8A5281D8
.text afatggtc.SYS B81F8384 1 Byte [20]
.text afatggtc.SYS B81F8384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text afatggtc.SYS B81F83AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text afatggtc.SYS B81F83C4 3 Bytes [00, 00, 00]
.text afatggtc.SYS B81F83C9 1 Byte [00]
.text ...
? C:\DOCUME~1\DrdLord\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1768] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1768] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[3300] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[3300] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spht.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spht.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spht.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spht.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spht.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spht.sys
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\afatggtc.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [B9FCC530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [B9FCC530] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7191F8

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbohci \Device\USBPDO-0 8A5271F8
Device \Driver\usbehci \Device\USBPDO-1 8A5221F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A71B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A71B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{769F75EC-16FC-4DD3-9543-0562D226F534} 89D74500
Device \Driver\PCI_PNP8382 \Device\00000055 spht.sys

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A78A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A78A1F8
Device \Driver\Cdrom \Device\CdRom0 8A482458
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A78A1F8
Device \Driver\Cdrom \Device\CdRom1 8A482458
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A78A1F8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8A78A1F8
Device \Driver\sptd \Device\4123683382 spht.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 89D74500
Device \Driver\NetBT \Device\NetbiosSmb 89D74500

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbohci \Device\USBFDO-0 8A5271F8
Device \Driver\usbehci \Device\USBFDO-1 8A5221F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89D98500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89D98500
Device \Driver\NetBT \Device\NetBT_Tcpip_{0B6310FD-9B0F-46FC-B258-7473AEE85E2B} 89D74500
Device \Driver\Ftdisk \Device\FtControl 8A78A1F8
Device \Driver\afatggtc \Device\Scsi\afatggtc1Port5Path0Target0Lun0 8A417500
Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path1Target1Lun0 8A71A1F8
Device \Driver\afatggtc \Device\Scsi\afatggtc1 8A417500
Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path0Target0Lun0 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts1 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A71A1F8
Device \Driver\nvgts \Device\Scsi\nvgts3 8A71A1F8
Device \FileSystem\Cdfs \Cdfs 8A2821F8
---- Processes - GMER 1.0.15 ----

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [3300] 0x05290000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xE2 0x4D 0xBA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x34 0x07 0x8D 0x7F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0x58 0x53 0xBE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA5 0xB8 0x34 0x5B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xE2 0x4D 0xBA ...

---- EOF - GMER 1.0.15 ----

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 12 April 2009 - 05:59 PM

Hello.

Please run this CFScript with ComboFix.
http://www.bleepingcomputer.com/forums/t/214989/google-results-redirected/

Suspect::[59]
c:\windows\system32\GameMon.des

Driver::
wdaaxlaj
Please tell me if the redirects still occur after ComboFix finishes.

With Regards,
The Panda

#14 Moginheden

Moginheden
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 12 April 2009 - 06:30 PM

When I ran Combofix with that script it updated itself then after a while rebooted the computer. Searches are still being redirected after it was done.

I hate this malware whatever it is...

Here is the log:

ComboFix 09-04-13.07 - DrdLord 2009-04-12 17:19.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2302.1734 [GMT -6:00]
Running from: c:\documents and settings\DrdLord\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\DrdLord\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WDAAXLAJ
-------\Service_wdaaxlaj


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-08 00:17 . 2009-04-08 00:17 -------- d-----w c:\program files\CCleaner
2009-03-29 18:41 . 2009-03-30 00:01 -------- d-----w c:\program files\Norton Security Scan
2009-03-29 17:20 . 2009-03-29 17:20 -------- d-----w c:\program files\Sun
2009-03-29 17:20 . 2009-03-29 17:19 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-03-29 04:14 . 2009-03-29 04:27 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-03-29 04:14 . 2009-03-29 04:27 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-03-29 04:13 . 2009-04-13 23:21 5953056 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-29 04:13 . 2009-04-13 23:21 548896 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-29 04:13 . 2009-04-13 23:21 51780 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-29 04:13 . 2009-04-13 23:21 5052 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-29 04:13 . 2009-04-11 18:55 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-29 04:13 . 2009-03-29 04:13 -------- d-----w c:\program files\Kaspersky Lab
2009-03-29 04:09 . 2009-03-29 04:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-29 03:58 . 2009-03-29 04:13 -------- d-----w c:\program files\NOS
2009-03-29 03:58 . 2009-03-29 04:13 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-03-27 23:12 . 2009-02-25 16:11 2736890 ----a-w c:\windows\system32\GameMon.des
2009-03-24 06:09 . 2009-03-24 06:09 -------- d-----w c:\documents and settings\DrdLord\Application Data\HouseCall 6.6
2009-03-24 06:09 . 2009-03-24 06:09 -------- d-----w c:\windows\system32\HouseCall 6.6
2009-03-21 00:40 . 2009-03-21 00:47 -------- d-----w c:\documents and settings\DrdLord\Application Data\Move Networks
2009-03-20 17:38 . 2006-12-11 20:12 176235 ----a-w c:\windows\system32\Primomonnt.dll
2009-03-20 17:38 . 2009-03-20 17:38 -------- d-----w c:\windows\PrimoPDF4
2009-03-20 17:38 . 2009-03-20 17:38 -------- d-----w c:\program files\activePDF
2009-03-19 15:08 . 2009-03-19 15:08 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-19 15:08 . 2009-03-19 15:08 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-15 21:23 . 2009-03-29 15:37 -------- d-----w c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 23:22 . 2009-03-29 08:29 2460 ----a-w C:\aaw7boot.log
2009-04-11 18:41 . 2009-04-11 18:41 12105 ----a-w C:\log.txt
2009-04-11 01:14 . 2008-05-03 04:24 -------- d-----w c:\program files\PeerGuardian2
2009-04-09 00:53 . 2009-01-18 06:15 -------- d-----w c:\program files\Hotspot Shield
2009-04-08 00:13 . 2009-02-25 05:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 21:32 . 2009-02-25 05:53 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 21:32 . 2009-02-25 05:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 18:18 . 2009-01-31 06:55 33256 ----a-w c:\windows\system32\drivers\hssdrv.sys
2009-04-02 01:36 . 2008-05-05 05:02 -------- d-----w c:\documents and settings\DrdLord\Application Data\Azureus
2009-03-29 17:19 . 2008-09-06 22:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-29 17:19 . 2008-04-29 00:22 -------- d-----w c:\program files\Java
2009-03-29 08:39 . 2009-02-25 03:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-29 07:07 . 2008-09-07 03:26 -------- d-----w c:\program files\Winamp
2009-03-29 04:27 . 2008-01-30 00:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-29 04:12 . 2008-04-26 02:54 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 04:12 . 2008-04-26 02:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-29 04:03 . 2008-04-26 20:50 -------- d-----w c:\program files\Common Files\Adobe
2009-03-29 03:56 . 2008-04-25 05:39 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-16 02:24 . 2008-05-05 04:08 -------- d-----w c:\program files\Azureus
2009-03-04 04:26 . 2008-04-26 01:27 -------- d-----w c:\program files\DivX
2009-02-25 05:53 . 2009-02-25 05:53 -------- d-----w c:\documents and settings\DrdLord\Application Data\Malwarebytes
2009-02-25 05:53 . 2009-02-25 05:53 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-25 03:48 . 2009-02-25 03:48 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 . 2009-02-25 03:48 -------- d-----w c:\documents and settings\DrdLord\Application Data\SUPERAntiSpyware.com
2009-02-25 03:48 . 2008-04-26 22:07 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-25 03:28 . 2009-02-25 03:37 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-02-25 03:28 . 2009-02-25 03:28 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-25 03:26 . 2009-02-25 03:26 -------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 03:26 . 2008-05-18 06:47 -------- d-----w c:\program files\Lavasoft
2009-02-19 03:00 . 2009-02-19 03:00 -------- d-----w c:\program files\Gspot
2009-02-17 02:03 . 2008-04-26 01:03 24632 ----a-w c:\documents and settings\DrdLord\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 11:13 . 2004-08-03 21:17 1846784 ----a-w c:\windows\system32\win32k.sys
2008-08-12 06:34 . 2008-08-12 06:34 94080 ----a-w c:\documents and settings\DrdLord\Application Data\ezplay.sys
2008-08-12 06:34 . 2008-08-12 06:34 87608 ----a-w c:\documents and settings\DrdLord\Application Data\ezpinst.exe
2008-08-12 06:34 . 2008-08-12 06:34 47360 ----a-w c:\documents and settings\DrdLord\Application Data\pcouffin.sys
2007-08-10 12:10 . 2008-12-20 22:41 36864 ----a-w c:\program files\3wdecoder.exe
2009-04-13 23:21 . 2009-03-29 04:13 5953056 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-13 23:21 . 2009-03-29 04:13 548896 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-12_11.29.44.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-13 23:23 . 2009-04-13 23:23 16384 c:\windows\Temp\Perflib_Perfdata_130.dat
+ 2009-03-29 04:13 . 2009-04-13 23:21 548896 c:\windows\system32\drivers\fidbox2.dat
+ 2009-04-13 23:21 . 2005-10-21 02:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-04-11 00:27 . 2005-10-21 02:02 163328 c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-03-29 04:13 . 2009-04-13 23:21 5953056 c:\windows\system32\drivers\fidbox.dat
- 2009-03-29 04:13 . 2009-04-11 01:07 5953056 c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-03-23 18:42 215528 --a------ c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.exe" [2008-09-09 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-25 2736890]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-03-28 33808]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-02-24 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-29 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-02-17 55024]
S2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [2009-03-23 216552]
S3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\DRIVERS\HssDrv.sys [2009-04-03 33256]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 21:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = local
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: {769F75EC-16FC-4DD3-9543-0562D226F534} = 10.13.176.1
FF - ProfilePath - c:\documents and settings\DrdLord\Application Data\Mozilla\Firefox\Profiles\hwbfwz5u.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 17:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-861567501-1336601894-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,17,0e,13,02,f1,09,19,d2,27,39,38,95,07,5f,b2,c4,da,4b,82,99,c1,53,
58,43,11,d0,f2,80,c7,47,53,1e,09,b6,18,90,9f,7d,47,0b,b8,8e,80,dc,24,d5,57,\
"??"=hex:a0,6b,7f,94,53,4b,37,aa,9b,19,1c,4e,fa,5f,62,72
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(280)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\devldr32.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-13 17:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-13 23:24
ComboFix2.txt 2009-04-11 18:41
ComboFix3.txt 2009-04-11 01:10

Pre-Run: 4,492,214,272 bytes free
Post-Run: 4,493,754,368 bytes free

206 --- E O F --- 2009-03-16 05:12

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 13 April 2009 - 08:37 AM

Hello.

Was this only happening for Internet Explorer (if that is the browser you were using)?

Submit File to Online Scanner
There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • c:\windows\system32\GameMon.des
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users