Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Links in Browser Redirecting Issue


  • This topic is locked This topic is locked
10 replies to this topic

#1 Pund

Pund

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 April 2009 - 11:54 AM

Hello,

I started having problems with my browser - Mozilla Firefox, as I was browsing what I thought was a harmless website. Several popups and windows opened and I started getting security warnings from an icon on the system tray. I had not updated my anti-spyware software in a while and it asked me to do so immediately.

I (stupidly) went and 'updated' the software which turned out to be antivirusXP. The exe file ran and 'updated' the software. About 10 minutes later, when I did a search and found out what antivirusXP was, I did my best to remove it which I believe I did using a software called smitfraudfix.exe.

However despite it's apparent removal, I appear to be having a problem which I can best describe as random links both on google search and otherwise redirecting to other websites. The problem is intermittent. Sometimes it happens and sometimes it doesn't. It happens enough that I know that something is wrong on my computer. I can shut down the browser, reload the webpage, try the link again and sometimes it works. This happens for both Mozilla Firefox and Internet Explorer.

The steps I have taken to try and remove it are as follows:

1. I ran Ad-aware 6.0
2. I ran Malwarebytes Anti-Malware several times. Malwarebytes removed some malware on the first run. Thereafter, every time I reboot the computer, I get almost exactly the same Malware warning, most of which are allegedly 'removed' and two of which require a reboot to remove. I do the reboot, shut my computer down and boot again. The very same Malware warnings show up on Malwarebytes. This obviously means that something is not being removed or that something is being loaded during the boot process.
3. I installed and ran AVG antivirus. It detected some trojans and allgedly removed them.
4. I ran Xoftspy Antispyware software. It detected some objects which were all classified as 'low risk' and removed all of them.
5. I ran Spybot S&D. It also removed some bots or processes.

The problem with the browser still persists.

I went through the process of booting the computer in Safe mode and running cleanups from there including for smitfraudfix.exe and for Spyware S&D separately.

At this point I am at my wits end and would like to ask for some help from the people on this forum if possible.

I created a logfile from Hijackthis and have posted it below:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:27, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061004
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mp4 Player] "C:\Program Files\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\mjb2j04vx7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\mjb2j04vx7.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3322947688.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 13382 bytes


Thank you for your help in advance.

BC AdBot (Login to Remove)

 


#2 Pund

Pund
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 30 April 2009 - 12:10 PM

In addendum to what I posted above, I just tried to run Spybot S&D twice. Both times, while it was detecting problems at about 4/5ths through the scan (at the same point I thjink), it caused the computer to crash going to a blue screen saying there was a dump of physical memory and asked me to check if I was out of memory.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:30 PM

Posted 30 April 2009 - 08:09 PM

Hello Pund,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:30 PM

Posted 02 May 2009 - 11:51 AM

Hello Pund,


Please follow all directions in order given. If you can't complete a step or don't understand a step, stop and post your problem so we can work on a solution.

1.
The following is referring to < Uniblue RegistryBooster 2009 >
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

2.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

3.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

4.
Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Things to include in your next reply:
MBAM log
Combofix .txt
Gmer.log
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:30 PM

Posted 03 May 2009 - 03:46 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Pund

Pund
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 04 May 2009 - 01:04 AM

Hello Fireman4it

Thank you for your help and advice on this issue. Sorry for the delayed response. I followed your instructions to the best of my ability.

I did not use RegistryBooster based on your note but will download it and use it if so recommended in the next phase.

I ran Malwarebytes, combofix and Gmer as recommended. Their logs are as follows:

Malwarebytes:

Malwarebytes' Anti-Malware 1.36
Database version: 1975
Windows 5.1.2600 Service Pack 3

5/3/2009 11:04:19 PM
mbam-log-2009-05-03 (23-04-19).txt

Scan type: Quick Scan
Objects scanned: 77978
Time elapsed: 2 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\afnoinkdsfe.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\RAJIV BHAKAT\Local Settings\Temp\2189328922.exe (Trojan.Downloader) -> Delete on reboot.


Combofix:

ComboFix 09-05-03.1 - RAJIV BHAKAT 05/03/2009 23:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2475 [GMT -4:00]
Running from: c:\documents and settings\RAJIV BHAKAT\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\RAJIV BHAKAT\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\ak1.exe
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\NeW
c:\windows\system32\prnet.tmp
c:\windows\system32\tmp.reg
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winglsetup.exe
c:\windows\Temp\484423388.exe
c:\windows\Temp\484579638.exe
c:\windows\Temp\560985888.exe

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))
.

2009-05-04 03:28 . 2009-05-04 03:28 -------- d-----w c:\windows\system32\KB905474
2009-05-04 03:28 . 2009-05-04 03:28 -------- d-----w c:\windows\LastGood
2009-05-04 03:00 . 2009-05-04 03:00 -------- d-----w C:\Gmer
2009-05-01 15:13 . 2009-05-01 15:13 -------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-04-30 17:51 . 2009-04-30 17:51 -------- d-----w c:\program files\Viewpoint
2009-04-30 15:58 . 2009-04-30 15:58 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\Uniblue
2009-04-30 15:58 . 2009-04-30 16:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-30 03:06 . 2009-05-04 03:15 -------- d--h--w C:\$AVG8.VAULT$
2009-04-30 02:53 . 2009-05-02 12:42 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-30 02:53 . 2009-05-02 12:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-30 02:53 . 2009-05-02 12:42 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-30 02:52 . 2009-05-03 22:52 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-30 02:52 . 2009-04-30 02:52 -------- d-----w c:\program files\AVG
2009-04-30 02:52 . 2009-04-30 04:06 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 05:26 . 2009-04-22 05:28 -------- d-----w C:\Windows Patch
2009-04-22 05:07 . 2009-04-22 05:08 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\program files\Citrix
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\Citrix
2009-04-21 17:03 . 2009-04-21 17:04 87 --s-a-w c:\windows\system32\2561601272.dat
2009-04-16 05:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 05:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 04:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 04:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\My Games
2009-04-15 03:40 . 2009-04-15 03:40 -------- d-----w c:\windows\nview
2009-04-15 03:39 . 2009-03-27 12:14 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-15 03:39 . 2009-04-15 03:39 -------- d-----w C:\NVIDIA
2009-04-15 03:32 . 2009-04-15 03:33 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-15 03:32 . 2009-04-15 03:32 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\SystemRequirementsLab
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\scripting
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\l2schemas
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\en
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\bits
2009-04-15 02:59 . 2009-04-15 02:59 -------- d-----w c:\windows\ServicePackFiles
2009-04-15 02:41 . 2009-04-15 02:41 22328 ----a-w c:\documents and settings\RAJIV BHAKAT\Application Data\PnkBstrK.sys
2009-04-15 02:37 . 2009-04-15 02:37 -------- d-----w c:\program files\Ubisoft
2009-04-13 16:29 . 2009-04-13 16:29 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-13 16:27 . 2009-04-30 01:57 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\Malwarebytes
2009-04-13 15:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 15:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 14:56 . 2009-04-13 14:56 -------- d-----w c:\program files\Electronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 03:29 . 2007-05-22 04:17 446 ----a-w c:\windows\Tasks\XoftSpySE 2.job
2009-05-04 03:28 . 2009-05-04 03:28 260 ----a-w c:\windows\Tasks\WGASetup.job
2009-05-04 03:27 . 2004-08-11 22:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 03:12 . 2006-10-23 01:03 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-05-02 03:12 . 2006-10-23 01:03 88 --sh--r c:\windows\system32\05D9D985C2.sys
2009-05-02 02:53 . 2006-10-08 19:16 74160 ----a-w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 15:27 . 2006-10-04 23:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-01 15:17 . 2006-10-04 23:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-30 17:28 . 2006-11-18 22:23 -------- d-----w c:\program files\Azureus
2009-04-30 06:29 . 2008-10-17 02:29 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 01:51 . 2006-10-04 23:45 -------- d-----w c:\program files\Google
2009-04-30 00:03 . 2007-05-22 04:17 -------- d-----w c:\program files\XoftSpySE
2009-04-19 04:00 . 2007-05-22 04:17 376 ----a-w c:\windows\Tasks\XoftSpySE.job
2009-04-19 01:11 . 2006-10-08 02:54 -------- d-----w c:\program files\IrfanView
2009-04-15 03:04 . 2004-08-11 22:14 89183 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-13 14:56 . 2008-07-31 16:59 2536 -c--a-w c:\windows\system32\ealregsnapshot1.reg
2009-04-13 14:23 . 2007-08-15 03:41 -------- d-----w c:\program files\Bethesda Softworks
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 22:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-04 14:45 . 2009-02-04 14:45 6 ----a-w c:\windows\Fonts\wfonts.key
2009-02-03 19:59 . 2004-08-11 22:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-01 02:49 . 2008-09-01 02:49 88 --sh--r c:\windows\system32\66BDB5C416.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 4621816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-04 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-04 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-12 185872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-5-1 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-4 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-22 05:06 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 12:42 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2005-08-30 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2005-08-30 585792]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2005-08-30 262215]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-02 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-01-29 13088]
S2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-05-17 708176]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2008-05-02 205328]
S2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2008-05-02 36368]
S3 athena;athena;c:\windows\system32\DRIVERS\athena.sys [2006-02-25 107392]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218d7dfe-0fe2-11dc-a2cc-00038a000015}]
\Shell\AutoRun\command - G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3d0ea52-6cf9-11db-a23e-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f43b0af8-ca25-11dd-a57e-000f212f4067}]
\Shell\AutoRun\command - G:\autoplay.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-04 02:18]

2009-05-04 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]

2009-04-19 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
HKCU-Run-Mp4 Player - c:\program files\Mp4 Player\Mp4Player.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\mjb2j04vx7.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\560985888.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
HKU-Default-Run-uidenhiufgsduiazghs - c:\windows\TEMP\nyz9aipwhr.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\GetFlash.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\RAJIV BHAKAT\Application Data\Mozilla\Firefox\Profiles\kig0neqy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 23:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys 83968 bytes executable
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthbvtidutemp.tmp 133632 bytes executable
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthnnqvtapuyq.tmp 343040 bytes executable
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthxvirtfnnuu.tmp 107520 bytes executable
c:\windows\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll 18432 bytes executable
c:\windows\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat 87967 bytes
c:\windows\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat 43 bytes
c:\windows\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll 18944 bytes executable
c:\windows\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll 60928 bytes executable

scan completed successfully
hidden files: 10

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1171390062-1264648214-176906286-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,50,7c,e1,46,96,07,1a,4a,11,af,1f,a6,88,d0,19,4c,48,1a,42,35,16,cd,
2d,83,3a,3e,65,0f,4c,42,d4,bd,10,ce,aa,a0,77,73,83,ac,6f,66,6f,d1,fe,56,05,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1171390062-1264648214-176906286-1006\Software\SecuROM\License information*]
"datasecu"=hex:be,17,d5,3a,b4,d8,16,ac,93,60,d6,0f,90,f8,2e,35,7a,d8,88,d4,bc,
84,b3,c5,62,75,b8,a7,0f,da,60,e5,47,d6,2a,2b,33,a7,35,3f,8d,51,e3,8b,ea,3b,\
"rkeysecu"=hex:4b,29,5b,d3,f5,df,61,8a,b5,32,ee,94,be,dd,de,30
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2972)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\windows\system32\rundll32.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 03:32

Pre-Run: 360,161,165,312 bytes free
Post-Run: 360,333,053,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
323 --- E O F --- 2009-05-04 03:28


Gmer:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-04 01:48:24
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

INT 0x73 ? 8B17EBF8
INT 0x74 ? 8A5EBBF8
INT 0x83 ? 8A5EBBF8
INT 0x84 ? 8A5EBBF8
INT 0x94 ? 8A5EBBF8
INT 0xB1 ? 8B1EFBF8
INT 0xB1 ? 8B181F00
INT 0xB4 ? 8A5EBBF8

Code 8A217A68 ZwEnumerateKey
Code 8A197738 ZwFlushInstructionCache
Code \??\C:\DOCUME~1\RAJIVB~1\LOCALS~1\Temp\catchme.sys IofCallDriver
Code 8A19A5FE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP BA3CAF84 \??\C:\DOCUME~1\RAJIVB~1\LOCALS~1\Temp\catchme.sys
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A19A603
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A19773C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 8A217A6C
? spzr.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text akgwqt29.SYS B87A9384 1 Byte [20]
.text akgwqt29.SYS B87A9384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text akgwqt29.SYS B87A93AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text akgwqt29.SYS B87A93C4 3 Bytes [00, 00, 00]
.text akgwqt29.SYS B87A93C9 1 Byte [00]
.text ...
.text USBPORT.SYS!DllUnload B814D8AC 5 Bytes JMP 8A5EB1D8
? C:\DOCUME~1\RAJIVB~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A90D480 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A90D500 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A90D3E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A90D3C0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A90D420 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A90D400 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A90D3A0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A90D550 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A90D560 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A90D581 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A90D650 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A90D620 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A90D590 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A90D2E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A90D270 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A90D230 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1956] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A90D2B0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spzr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spzr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spzr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spzr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spzr.sys
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\akgwqt29.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601767] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3128] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B17D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A4C5500
Device \FileSystem\Udfs \UdfsCdRom 8A1C3500
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk 8A1C3500
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A5EA1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B17F1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B17F1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B17F1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B17F1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A5EA1F8
Device \Driver\usbehci \Device\USBPDO-2 8A5D31F8
Device \Driver\PCI_PNP1370 \Device\00000053 spzr.sys
Device \Driver\usbehci \Device\USBPDO-3 8A5D31F8
Device \Driver\PCI_PNP1370 \Device\00000054 spzr.sys
Device \Driver\usbuhci \Device\USBPDO-4 8A5EA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 8A5EA1F8
Device \Driver\usbuhci \Device\USBPDO-6 8A5EA1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B1F01F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B1F01F8
Device \Driver\Cdrom \Device\CdRom0 8A4951F8
Device \Driver\Cdrom \Device\CdRom1 8A4951F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B1F01F8
Device \Driver\Cdrom \Device\CdRom2 8A4951F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8B1F01F8
Device \Driver\Cdrom \Device\CdRom3 8A4951F8
Device \Driver\USBSTOR \Device\00000075 87F361F8
Device \Driver\USBSTOR \Device\00000076 87F361F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 87F7D1F8
Device \Driver\NetBT \Device\NetbiosSmb 87F7D1F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A5EA1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A5EA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 87F701F8
Device \Driver\usbehci \Device\USBFDO-2 8A5D31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 87F701F8
Device \Driver\usbuhci \Device\USBFDO-3 8A5EA1F8
Device \Driver\usbuhci \Device\USBFDO-4 8A5EA1F8
Device \Driver\Ftdisk \Device\FtControl 8B1F01F8
Device \Driver\usbuhci \Device\USBFDO-5 8A5EA1F8
Device \Driver\sptd \Device\586752620 spzr.sys
Device \Driver\usbehci \Device\USBFDO-6 8A5D31F8
Device \Driver\akgwqt29 \Device\Scsi\akgwqt291Port2Path0Target0Lun0 8A70F500
Device \Driver\akgwqt29 \Device\Scsi\akgwqt291 8A70F500
Device \FileSystem\Fastfat \Fat 8A4C5500

AttachedDevice \FileSystem\Fastfat \Fat ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs 8A1A4500
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys (*** hidden *** ) [SYSTEM] ovfsthmlpsnmmyuajttiscejuomblgmkmubvou <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@imagepath \systemroot\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@inst 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@ver sni060409
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@cid 01
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@bid 276331666-1171390062-1264648214-176906286
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@aid 998
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@sid 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@cmddelay 28801
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@logoffset 87869
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{CCA8CDDA-C9F3-428D-9B69-C047894173DF}
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff@version 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.dll \systemroot\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthlog.dat \systemroot\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthwi.dll \systemroot\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthff.dll \systemroot\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.dat \systemroot\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@imagepath \systemroot\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou@inst 0
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@ver sni060409
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@cid 01
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@bid 276331666-1171390062-1264648214-176906286
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@aid 998
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@sid 3
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@cmddelay 28801
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main@logoffset 86301
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\delete
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{CCA8CDDA-C9F3-428D-9B69-C047894173DF}
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\main\tasks
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.sys \systemroot\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.dll \systemroot\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthlog.dat \systemroot\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthwi.dll \systemroot\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsthff.dll \systemroot\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll
Reg HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou\modules@ovfsth.dat \systemroot\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\RAJIV BHAKAT\Local Settings\Temp\ovfsthbvtidutemp.tmp 133632 bytes executable
File C:\Documents and Settings\RAJIV BHAKAT\Local Settings\Temp\ovfsthnnqvtapuyq.tmp 343040 bytes executable
File C:\Documents and Settings\RAJIV BHAKAT\Local Settings\Temp\ovfsthx000 0 bytes
File C:\Documents and Settings\RAJIV BHAKAT\Local Settings\Temp\ovfsthxvirtfnnuu.tmp 107520 bytes executable
File C:\WINDOWS\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll 18432 bytes executable
File C:\WINDOWS\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys 83968 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat 88008 bytes
File C:\WINDOWS\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat 43 bytes
File C:\WINDOWS\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll 18944 bytes executable
File C:\WINDOWS\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll 60928 bytes executable

---- EOF - GMER 1.0.15 ----



In the interim, after several rounds of cleanup, I managed to reduce the incidence of ridirection of links via links on webpages.

However, I have started to notice the computer running operations when left on and connected to the internet. Once for a few seconds, music played randomly. A second instance was when I returned to the computer as found the Outlook Express e-mail window open with a mail address inputted to something@shopzilla.com. It makes me suspect that I still have a virus or malware which is allowing outside access to the computer (which scares me even more)

I cannot tell if the above operations have solved that problem yet but I will leave the computer on for a few hours to see if I notice any problems.

In the mean time, any advice, or tips based on the above posted logs would be very appreciated.

Thank you again for your help.

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:30 PM

Posted 05 May 2009 - 06:37 PM

Hello Pund,

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Trend Micro PC-cillin.

3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/top...ml#entry1249753

Driver::
ovfsthmlpsnmmyuajttiscejuomblgmkmubvou
ovfsthwkioviiuisqojnogbwmciwkchesadgaq

Collect::
C:\WINDOWS\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
c:\windows\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthbvtidutemp.tmp
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthnnqvtapuyq.tmp
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthx000
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthxvirtfnnuu.tmp
c:\windows\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll
c:\windows\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat
c:\windows\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat
c:\windows\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll
c:\windows\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f43b0af8-ca25-11dd-a57e-000f212f4067}]
[-HKLM\SYSTEM\ControlSet004\Services\ovfsthmlpsnmmyuajttiscejuomblgmkmubvou]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • A browser will open.
  • Simply follow the instructions to copy/paste/send the requested file.
===========
Note::
If Combofix fails to upload anything please do the following:
Go to Start > My Computer > C:\
Then Navigate to C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip

Click Here to upload the submit.zip please.

4.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\66BDB5C416.sys
c:\windows\system32\05D9D985C2.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


5.
Please update and do another scan with Malwarebytes Anti-Malware and post the log.

6.
Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
Things to include in your next reply:
Jotti or Virustotal logs
Combofix.txt
MBAM log
Gmer.log
HijackThis log
How is your computer running now? Any Signs or Symptoms of infection?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Pund

Pund
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:30 PM

Posted 06 May 2009 - 10:59 PM

Hello Fireman4it,

Thank you again for all you help.

I would like to remove the trojan from my computer if that is possible.

the steps I took based on the last post are as follows:

1. I ran the CFScript and uploaded the file to the link as recommended in the last post.

2. I tried to find the files you mentioned in the c:\windows\system32 folder and could not find them. I made sure that hidden files were visible in all folders. I also then did a search for *.sys files to see if I could find the files that way. Either way, I did not see the filenames that you asked me to scan.

3. I updates Malwarebytes and ran a scan and created a log.

4. I re-downloaded Gmer from the link and ran a scan which created a log

5. I ranHijackthis and created a log.

The logs generated from the scans are as follows:


CFSript on Combofix


ComboFix 09-05-06.02 - RAJIV BHAKAT 05/06/2009 21:01.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2460 [GMT -4:00]
Running from: c:\documents and settings\RAJIV BHAKAT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RAJIV BHAKAT\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Trend Micro PC-cillin Internet Security *On-access scanning disabled* (Outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*
* Resident AV is active


file zipped: c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthbvtidutemp.tmp
file zipped: c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthnnqvtapuyq.tmp
file zipped: c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthx000
file zipped: c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthxvirtfnnuu.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthbvtidutemp.tmp
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthnnqvtapuyq.tmp
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthx000
c:\docume~1\RAJIVB~1\LOCALS~1\Temp\ovfsthxvirtfnnuu.tmp
c:\documents and settings\LocalService\protect.dll
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\RAJIV BHAKAT\protect.dll
c:\documents and settings\RAJIV BHAKAT\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\RAJIV BHAKAT\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthwkioviiuisqojnogbwmciwkchesadgaq.sys
c:\windows\system32\ovfsthjeehesnhdsyribdbnuxlsykfrydqueqd.dll
c:\windows\system32\ovfsthkeqbvyrkrocanwnisihkhtgqwwtqlccd.dat
c:\windows\system32\ovfsthotmcglggagdpguwykuvmrefufxnsvrjn.dat
c:\windows\system32\ovfsthsmxndmujowuebedxspncwwclddjncceg.dll
c:\windows\system32\ovfsthypehfegggdueeknrivlnojsonkiofmtk.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthmlpsnmmyuajttiscejuomblgmkmubvou


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-06 20:56 . 2009-05-06 22:46 27648 ----a-w c:\windows\system32\lmn_setup.exe
2009-05-06 16:43 . 2009-05-06 16:43 -------- d-----w c:\program files\Common Files\BioWare
2009-05-06 16:26 . 2009-05-06 16:43 -------- d-----w c:\program files\Mass Effect
2009-05-04 03:00 . 2009-05-04 03:00 -------- d-----w C:\Gmer
2009-05-01 15:13 . 2009-05-01 15:13 -------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems
2009-04-30 17:51 . 2009-04-30 17:51 -------- d-----w c:\program files\Viewpoint
2009-04-30 15:58 . 2009-04-30 15:58 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\Uniblue
2009-04-30 15:58 . 2009-04-30 16:02 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-30 03:06 . 2009-05-04 03:15 -------- d--h--w C:\$AVG8.VAULT$
2009-04-30 02:53 . 2009-05-02 12:42 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-30 02:53 . 2009-05-02 12:42 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-30 02:53 . 2009-05-02 12:42 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-30 02:52 . 2009-05-06 15:21 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-30 02:52 . 2009-04-30 02:52 -------- d-----w c:\program files\AVG
2009-04-30 02:52 . 2009-04-30 04:06 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 05:26 . 2009-04-22 05:28 -------- d-----w C:\Windows Patch
2009-04-22 05:07 . 2009-04-22 05:08 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\documents and settings\All Users\Application Data\Citrix
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\program files\Citrix
2009-04-22 05:06 . 2009-04-22 05:06 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\Citrix
2009-04-21 17:03 . 2009-04-21 17:04 87 --s-a-w c:\windows\system32\2561601272.dat
2009-04-16 05:00 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 05:00 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 05:00 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 05:00 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 05:00 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 05:00 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 05:00 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 05:00 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 05:00 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 05:00 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 04:59 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 04:59 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 04:33 . 2009-04-15 04:33 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\My Games
2009-04-15 03:40 . 2009-04-15 03:40 -------- d-----w c:\windows\nview
2009-04-15 03:39 . 2009-03-27 12:14 453152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-04-15 03:39 . 2009-04-15 03:39 -------- d-----w C:\NVIDIA
2009-04-15 03:32 . 2009-04-15 03:33 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-15 03:32 . 2009-04-15 03:32 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\SystemRequirementsLab
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\scripting
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\l2schemas
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\en
2009-04-15 03:02 . 2009-04-15 03:02 -------- d-----w c:\windows\system32\bits
2009-04-15 02:59 . 2009-04-15 02:59 -------- d-----w c:\windows\ServicePackFiles
2009-04-15 02:41 . 2009-04-15 02:41 22328 ----a-w c:\documents and settings\RAJIV BHAKAT\Application Data\PnkBstrK.sys
2009-04-15 02:37 . 2009-04-15 02:37 -------- d-----w c:\program files\Ubisoft
2009-04-13 16:29 . 2009-04-13 16:29 -------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-04-13 16:27 . 2009-04-30 01:57 -------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\documents and settings\RAJIV BHAKAT\Application Data\Malwarebytes
2009-04-13 15:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 15:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-13 15:26 . 2009-04-13 15:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 14:56 . 2009-04-13 14:56 -------- d-----w c:\program files\Electronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 03:12 . 2006-10-23 01:03 3350 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-05-02 03:12 . 2006-10-23 01:03 88 --sh--r c:\windows\system32\05D9D985C2.sys
2009-05-02 02:53 . 2006-10-08 19:16 74160 ----a-w c:\documents and settings\RAJIV BHAKAT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 15:27 . 2006-10-04 23:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-01 15:17 . 2006-10-04 23:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-30 17:28 . 2006-11-18 22:23 -------- d-----w c:\program files\Azureus
2009-04-30 06:29 . 2008-10-17 02:29 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-30 01:51 . 2006-10-04 23:45 -------- d-----w c:\program files\Google
2009-04-30 00:03 . 2007-05-22 04:17 -------- d-----w c:\program files\XoftSpySE
2009-04-19 01:11 . 2006-10-08 02:54 -------- d-----w c:\program files\IrfanView
2009-04-15 03:04 . 2004-08-11 22:14 89183 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-13 14:56 . 2008-07-31 16:59 2536 -c--a-w c:\windows\system32\ealregsnapshot1.reg
2009-04-13 14:23 . 2007-08-15 03:41 -------- d-----w c:\program files\Bethesda Softworks
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 22:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 22:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 22:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 22:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 22:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 22:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-09-01 02:49 . 2008-09-01 02:49 88 --sh--r c:\windows\system32\66BDB5C416.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_03.30.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 16:18 . 2009-05-06 22:46 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
- 2006-10-08 01:54 . 2009-05-04 03:27 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-08 01:54 . 2009-05-06 22:31 49152 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-08 01:54 . 2009-05-04 03:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-08 01:54 . 2009-05-06 22:31 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-11 02:18 . 2009-03-11 02:18 934792 c:\windows\system32\WgaTray.exe
+ 2009-03-11 02:18 . 2009-03-11 02:18 239496 c:\windows\system32\WgaLogon.dll
+ 2009-03-11 02:18 . 2009-03-11 02:18 934792 c:\windows\system32\dllcache\WgaTray.exe
+ 2009-03-11 02:18 . 2009-03-11 02:18 239496 c:\windows\system32\dllcache\wgaLogon.dll
+ 2009-03-11 02:18 . 2009-03-11 02:18 1482112 c:\windows\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 176201]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-09-13 4621816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-11-01 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 823362]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-04 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-04 98304]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-12 185872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\LOCALS~1\protect.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-5-1 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-4 24576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-04-22 05:06 10536 ----a-w c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 12:42 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/29/2009 10:53 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/29/2009 10:53 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/29/2009 10:52 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [1/29/2009 12:11 AM 13088]
R2 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [5/21/2007 11:07 PM 708176]
R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [8/30/2005 5:36 PM 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [8/30/2005 5:36 PM 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [8/30/2005 5:36 PM 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [8/30/2005 5:36 PM 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [8/30/2005 5:36 PM 262215]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [10/4/2006 7:18 PM 107392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{218d7dfe-0fe2-11dc-a2cc-00038a000015}]
\Shell\AutoRun\command - G:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3d0ea52-6cf9-11db-a23e-00038a000015}]
\Shell\AutoRun\command - G:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]

2009-04-19 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 18:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: turbotax.com
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\RAJIV BHAKAT\Application Data\Mozilla\Firefox\Profiles\kig0neqy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 21:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1171390062-1264648214-176906286-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,50,7c,e1,46,96,07,1a,4a,11,af,1f,a6,88,d0,19,4c,48,1a,42,35,16,cd,
2d,83,3a,3e,65,0f,4c,42,d4,bd,10,ce,aa,a0,77,73,83,ac,6f,66,6f,d1,fe,56,05,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1171390062-1264648214-176906286-1006\Software\SecuROM\License information*]
"datasecu"=hex:fa,1b,a4,95,75,0e,96,4f,54,08,59,8b,30,74,40,47,56,da,aa,f4,a1,
8b,9b,7b,fc,39,05,15,6f,f9,a4,70,57,1b,ca,c1,48,7d,7e,69,5c,20,d7,13,1e,4a,\
"rkeysecu"=hex:9e,57,25,3b,25,d5,aa,f2,73,d3,3c,d9,27,c0,9d,7d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-05-07 21:04
ComboFix-quarantined-files.txt 2009-05-07 01:04
ComboFix2.txt 2009-05-04 03:33

Pre-Run: 351,219,486,720 bytes free
Post-Run: 351,201,779,712 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
286 --- E O F --- 2009-05-04 03:28



Malwarebytes


Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 9:15:08 PM
mbam-log-2009-05-06 (21-15-08).txt

Scan type: Quick Scan
Objects scanned: 82743
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.



Gmer


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-06 23:42:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xA8F998F4]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xA8F978A2]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xA8F97E88]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xA8F9A14C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xA8F9A3B0]
SSDT spss.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spss.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spss.sys ZwOpenKey [0xB9EA80C0]
SSDT spss.sys ZwQueryKey [0xB9EC7108]
SSDT spss.sys ZwQueryValueKey [0xB9EC6F88]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xA8F9A6D8]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xA8F96DB4]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xA8F96420]

INT 0x63 ? 8A6A7BF8
INT 0x73 ? 8B207BF8
INT 0x74 ? 8A6A7BF8
INT 0x83 ? 8A6A7BF8
INT 0x84 ? 8A6A7BF8
INT 0x94 ? 8A6A7BF8
INT 0xB1 ? 8B197BF8
INT 0xB1 ? 8B20ABF8

---- Kernel code sections - GMER 1.0.15 ----

? camygs.sys The system cannot find the file specified. !
? spss.sys The system cannot find the file specified. !
.text avhps32d.SYS B851A384 1 Byte [20]
.text avhps32d.SYS B851A384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text avhps32d.SYS B851A3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text avhps32d.SYS B851A3C4 3 Bytes [00, 00, 00]
.text avhps32d.SYS B851A3C9 1 Byte [00]
.text ...
.text USBPORT.SYS!DllUnload B7EBE8AC 5 Bytes JMP 8A6A71D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A90D480 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A90D500 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A90D3E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A90D3C0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A90D420 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A90D400 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A90D3A0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A90D550 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A90D560 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A90D581 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A90D650 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A90D620 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A90D590 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A90D2E0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A90D270 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A90D2D0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A90D230 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)
.text C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe[1764] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A90D2B0 C:\Program Files\Adobe\Adobe Version Cue CS2\bin\SHSMP.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spss.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spss.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spss.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spss.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spss.sys
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\avhps32d.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601767] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AF3] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B48] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AAC] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A65] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6360244B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [63602099] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6360206F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FCE] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[1368] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [63601616] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8B2061F8

AttachedDevice \FileSystem\Ntfs \Ntfs ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Fastfat \FatCdrom 8A5711F8
Device \Driver\sptd \Device\1861040710 spss.sys

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8A6A61F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B2081F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B2081F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B2081F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B2081F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6A61F8
Device \Driver\usbehci \Device\USBPDO-2 8A68B1F8
Device \Driver\PCI_PNP3210 \Device\00000053 spss.sys
Device \Driver\usbehci \Device\USBPDO-3 8A68B1F8
Device \Driver\PCI_PNP3210 \Device\00000054 spss.sys
Device \Driver\usbuhci \Device\USBPDO-4 8A6A61F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBPDO-5 8A6A61F8
Device \Driver\usbuhci \Device\USBPDO-6 8A6A61F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B1981F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B1981F8
Device \Driver\Cdrom \Device\CdRom0 8A62F1F8
Device \Driver\Cdrom \Device\CdRom1 8A62F1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B1981F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8B1981F8
Device \Driver\Cdrom \Device\CdRom2 8A62F1F8
Device \Driver\Cdrom \Device\CdRom3 8A62F1F8
Device \Driver\USBSTOR \Device\00000075 8807B1F8
Device \Driver\USBSTOR \Device\00000076 8807B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 880D31F8
Device \Driver\NetBT \Device\NetbiosSmb 880D31F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A6A61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CF106DCF-F3C6-4076-A2B2-E8CCE7A97A03} 880D31F8
Device \Driver\usbuhci \Device\USBFDO-1 8A6A61F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 880CB1F8
Device \Driver\usbehci \Device\USBFDO-2 8A68B1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 880CB1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A6A61F8
Device \Driver\usbuhci \Device\USBFDO-4 8A6A61F8
Device \Driver\Ftdisk \Device\FtControl 8B1981F8
Device \Driver\usbuhci \Device\USBFDO-5 8A6A61F8
Device \Driver\usbehci \Device\USBFDO-6 8A68B1F8
Device \Driver\avhps32d \Device\Scsi\avhps32d1Port2Path0Target0Lun0 8A6F4500
Device \Driver\avhps32d \Device\Scsi\avhps32d1 8A6F4500
Device \FileSystem\Fastfat \Fat 8A5711F8

AttachedDevice \FileSystem\Fastfat \Fat ikfileflt.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs 8808A500
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x73 0xC0 0x04 0x14 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x90 0x3C 0x45 0x9C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE6 0xBB 0xC6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x8C 0x86 0x16 0x63 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x14 0xB9 0xD7 0x8A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0x18 0x73 0x1C ...

---- EOF - GMER 1.0.15 ----



Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43:16, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061004
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 10977 bytes



In terms of how my computer is working, before I ran the scans, I started to notice redirects happening on Mozilla and IE again. I have not noticed any programs or sounds running by themselves which makes me assume that there was no external access to my computer in the interim.

My PC-cillin anti virus also has been giving warnings about sql.slammer. I searched to see if I had plugged the security vulnerability. It appears that I should have. However are there any steps that I should take in this regard?

Thank you again for all your help. I deeply appreciate your time and effort and hope that these logs give some direction about the problem.

Regards,

Pund

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 08 May 2009 - 04:21 PM

Hello.

Fireman4it will be unavailable for a while due to some personal things. I will continue to help you.

My PC-cillin anti virus also has been giving warnings about sql.slammer. I searched to see if I had plugged the security vulnerability. It appears that I should have. However are there any steps that I should take in this regard?

Can you provide a screenshot or some kind of log so I can know what that is? Thanks.

Please run this tool next. After you provide these two logs, I will review everything in this thread and formulate a fix for you to follow next post. :thumbup2:

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :dir
    %userprofile%\Local Settings\Application Data
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 May 2009 - 02:31 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 15 May 2009 - 07:49 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users