Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google links redirected to other websites


  • This topic is locked This topic is locked
24 replies to this topic

#1 MiztaMike

MiztaMike

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 May 2009 - 03:56 AM

Hi, I've done some searching into this problem and still can't seem to fix it. I've run Malwarebytes' Anti-Malware, Spybot, Adaware, RootRepeal, ComboFix, gmer and still can't seem to fix the problem.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:53:59 AM, on 2009-05-05
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172799228871
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174096892658
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VideoAcceleratorEngine - Unknown owner - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10974 bytes


thanks a lot!

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:52 PM

Posted 18 May 2009 - 02:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 21 May 2009 - 10:50 AM

DDS (Ver_09-05-14.01) - NTFSx86
Run by k at 8:46:47.67 on 2009-05-21
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1380 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\k\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=1&hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172799228871
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174096892658
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-5 28544]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-4 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-1-4 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-1-4 648456]
S3 FAELZZZ;FAELZZZ;\??\c:\documents and settings\k\my documents\stuff\uce\faelz.sys --> c:\documents and settings\k\my documents\stuff\uce\faelz.sys [?]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\k\desktop\united engine\ilvmoney1236.sys --> c:\documents and settings\k\desktop\united engine\IlvMoney1236.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-17 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-17 21632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revolution1;Revolution1;\??\c:\documents and settings\k\my documents\gb\gb\revolution_engine_8.3_shak3\shak3.sys --> c:\documents and settings\k\my documents\gb\gb\revolution_engine_8.3_shak3\SHAK3.sys [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\c:\docume~1\k\locals~1\temp\sora_.sys --> c:\docume~1\k\locals~1\temp\SoRa_.sys [?]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42187\swinflash\PhlashNT.sys [2006-9-6 31616]

=============== Created Last 30 ================

2009-05-21 08:34 <DIR> --d----- c:\program files\NHN USA
2009-05-17 22:27 <DIR> --dsh--- c:\documents and settings\k\IECompatCache
2009-05-05 21:02 <DIR> --d----- c:\program files\Panda Security
2009-05-04 23:59 <DIR> --d----- c:\program files\LimeWire
2009-05-03 20:29 <DIR> --d----- c:\docume~1\k\applic~1\Malwarebytes
2009-05-03 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 00:05 <DIR> --d----- c:\program files\iPod
2009-05-03 00:05 <DIR> --d----- c:\program files\iTunes
2009-05-03 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 14:14 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
2009-04-30 15:06 <DIR> --dsh--- c:\documents and settings\k\IETldCache
2009-04-26 13:11 <DIR> --d----- c:\program files\Universal Document Converter
2009-04-26 12:58 <DIR> --d----- c:\program files\Abdio

==================== Find3M ====================

2006-12-04 11:09 0 -c-sh--- c:\windows\sminst\HPCD.SYS
2008-11-24 00:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\history\history.ie5\mshist012008112320081124\index.dat
2008-11-24 01:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-11-24 00:58 16,384 a--sh--- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat

============= FINISH: 8:47:43.68 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 21 May 2009 - 04:39 PM

Hello.

Is the redirect in Firefox, Internet explorer or both?

Any specfic site you get redirected to? Please post at least 2 links you get redirected to.

Kill the link like this: hxxp://www.google.ca

Update MBAM and do a quick scan. Then re-run DDs and post back with the logs.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 22 May 2009 - 08:13 PM

It seems to only happen when I use firefox (probability around 40% of every link i hit when a search is done through google)
Tried opening about 20 links from IE and they all worked.

Here are a couple examples:
hxxp://www.thetop10.com/search/default.aspx?kwd=wikipedia&subid=65456-11774-2970
hxxp://www.bullz-eye.com/?amp;n=ab698423&cb=1234567890

Updated MBAM and here's the log:
Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 5.1.2600 Service Pack 3

2009-05-22 05:55:57 PM
mbam-log-2009-05-22 (17-55-57).txt

Scan type: Quick Scan
Objects scanned: 93799
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


DDs:

DDS (Ver_09-05-14.01) - NTFSx86
Run by k at 18:09:13.28 on 2009-05-22
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1350 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\k\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=1&hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172799228871
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174096892658
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-5 28544]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-4 52624]
S3 FAELZZZ;FAELZZZ;\??\c:\documents and settings\k\my documents\stuff\uce\faelz.sys --> c:\documents and settings\k\my documents\stuff\uce\faelz.sys [?]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\k\desktop\united engine\ilvmoney1236.sys --> c:\documents and settings\k\desktop\united engine\IlvMoney1236.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-17 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-17 21632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 Revolution1;Revolution1;\??\c:\documents and settings\k\my documents\gb\gb\revolution_engine_8.3_shak3\shak3.sys --> c:\documents and settings\k\my documents\gb\gb\revolution_engine_8.3_shak3\SHAK3.sys [?]
S3 SoRa_DRIVER53;SoRa_DRIVER53;\??\c:\docume~1\k\locals~1\temp\sora_.sys --> c:\docume~1\k\locals~1\temp\SoRa_.sys [?]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-1-4 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-1-4 648456]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42187\swinflash\PhlashNT.sys [2006-9-6 31616]

=============== Created Last 30 ================

2009-05-21 08:34 <DIR> --d----- c:\program files\NHN USA
2009-05-17 22:27 <DIR> --dsh--- c:\documents and settings\k\IECompatCache
2009-05-05 21:02 <DIR> --d----- c:\program files\Panda Security
2009-05-04 23:59 <DIR> --d----- c:\program files\LimeWire
2009-05-03 20:29 <DIR> --d----- c:\docume~1\k\applic~1\Malwarebytes
2009-05-03 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 00:05 <DIR> --d----- c:\program files\iPod
2009-05-03 00:05 <DIR> --d----- c:\program files\iTunes
2009-05-03 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 14:14 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
2009-04-30 15:06 <DIR> --dsh--- c:\documents and settings\k\IETldCache
2009-04-26 13:11 <DIR> --d----- c:\program files\Universal Document Converter
2009-04-26 12:58 <DIR> --d----- c:\program files\Abdio

==================== Find3M ====================

2006-12-04 11:09 0 -c-sh--- c:\windows\sminst\HPCD.SYS
2008-11-24 00:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\history\history.ie5\mshist012008112320081124\index.dat
2008-11-24 01:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-11-24 00:58 16,384 a--sh--- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat

============= FINISH: 18:09:54.69 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 22 May 2009 - 08:31 PM

Hello.

Please continue with the following.

Download and Run OTM
  • Please download OTM by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the OTM.exe icon on your desktop.
  • Paste the following code under the Posted Image (Paste Instructions for Items to be Moved) area. Do not include the word "Code".
    :services
    pavboot
    FAELZZZ
    IlvMoneyDRIVER53
    npggsvc
    Revolution1
    SoRa_DRIVER53
    :files
    c:\windows\system32\drivers\pavboot.sys
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image (MoveIT!) button.
  • Copy/Paste the contents under the Posted Image (Results) line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :dir
    %userprofile%\Local Settings\Application Data
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Download and Run GooredFix using Option1 (Scanning)
  • Please download GooredFix and save it to your Desktop.
    Alternative Download Mirror #2
  • Double-click Goored.exe to run it.
  • A window shall open, please Select 1. [Find Goored (no fix)] by typing 1 and pressing Enter. It will begin scanning.
  • A log will open once it is complete, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop, called Goored.txt
Please Do not run Option #2 yet.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 23 May 2009 - 03:36 PM

Thanks again

here are the results:

OTM:

========== SERVICES/DRIVERS ==========

Service\Driver pavboot deleted successfully.

Service\Driver FAELZZZ deleted successfully.

Service\Driver IlvMoneyDRIVER53 deleted successfully.

Service\Driver npggsvc deleted successfully.

Service\Driver Revolution1 deleted successfully.

Service\Driver SoRa_DRIVER53 deleted successfully.
========== FILES ==========
c:\windows\system32\drivers\pavboot.sys moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\k\LOCALS~1\Temp\etilqs_2JLSrquSYhlYILLyWGqB scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\k\LOCALS~1\Temp\lilo2 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\k\LOCALS~1\Temp\lilo3 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\k\LOCALS~1\Temp\lilo4 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTM by OldTimer - Version 2.1.0.0 log created on 05232009_132408

Files moved on Reboot...
File C:\DOCUME~1\k\LOCALS~1\Temp\etilqs_2JLSrquSYhlYILLyWGqB not found!
File C:\DOCUME~1\k\LOCALS~1\Temp\lilo2 not found!
File C:\DOCUME~1\k\LOCALS~1\Temp\lilo3 not found!
File C:\DOCUME~1\k\LOCALS~1\Temp\lilo4 not found!
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\k\Local Settings\Application Data\Mozilla\Firefox\Profiles\z8izl030.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...


SystemLook:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 13:33 on 23/05/2009 by k (Administrator - Elevation successful)

========== dir ==========

C:\Documents and Settings\k\Local Settings\Application Data - Parameters: "(none)"

---Files---
73648-88365-27475-00IP7-22847 --a--- 48 bytes [19:48 23/09/2007] [19:49 23/09/2007]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini --a--- 89600 bytes [20:58 23/03/2007] [21:44 21/05/2009]
fusioncache.dat --a--c 124 bytes [14:28 01/03/2007] [14:30 01/03/2007]
GDIPFONTCACHEV1.DAT --a--c 51192 bytes [14:28 01/03/2007] [16:37 17/09/2006]
IconCache.db --ah-- 3706410 bytes [21:17 20/01/2009] [20:25 23/05/2009]

---Folders---
Adobe d----- [03:29 02/03/2007]
Ahead d----- [03:54 24/03/2007]
AOL OCP d----- [01:50 10/09/2007]
Apple d----- [23:09 10/10/2007]
Apple Computer d----- [13:21 11/03/2007]
ApplicationHistory d----- [14:28 01/03/2007]
Google d----- [04:03 02/03/2007]
Graboid_Inc d----- [02:46 06/01/2009]
Help d----- [13:12 02/12/2008]
HP d----- [14:28 01/03/2007]
Identities d----- [21:07 12/01/2009]
Installer34492 d----- [03:01 02/09/2008]
Installer40776 d----- [02:50 02/09/2008]
IsolatedStorage d----- [14:28 01/03/2007]
Microsoft d----- [14:28 01/03/2007]
Microsoft Help d----- [22:21 29/05/2007]
Mozilla d----- [04:22 03/03/2007]
none d----- [04:17 19/01/2008]
PCHealth d----- [14:25 28/05/2007]
QuickPlay d----- [22:15 16/03/2007]
Steam d----- [07:35 04/02/2008]
Thunderbird d----- [04:31 03/03/2007]
{3248F0A6-6813-11D6-A77B-00B0D0150060} d----- [14:28 01/03/2007]

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32]
"aux"="wdmaud.drv"
"aux1"="wdmaud.drv"
"aux2"="wdmaud.drv"
"aux3"="wdmaud.drv"
"midi"="wdmaud.drv"
"midi1"="wdmaud.drv"
"midi2"="wdmaud.drv"
"midi3"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"msacm.ac3acm"="ac3acm.acm"
"msacm.iac2"="C:\WINDOWS\system32\iac25_32.ax"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="C:\WINDOWS\system32\l3codeca.acm"
"msacm.lameacm"="lameACM.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msg723"="msg723.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.trspch"="tssoft32.acm"
"MSVideo8"="VfWWDM32.dll"
"vidc.cvid"="iccvid.dll"
"vidc.DIVX"="DivX.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.FPS1"="frapsvid.dll"
"VIDC.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"vidc.iv50"="ir50_32.dll"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.M261"="msh261.drv"
"vidc.M263"="msh263.drv"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.XVID"="xvidvfw.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YV12"="DivX.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wave"="wdmaud.drv"
"wave1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"wave3"="wdmaud.drv"
"wavemapper"="msacm32.drv"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\drivers32\Terminal Server]


-=End Of File=-


GooredFix:
GooredFix v1.92 by jpshortstuff
Log created at 13:35 on 23/05/2009 running Option #1 (k)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{C63C4060-9D18-45D5-8A73-DF7B66D8ECD1}

C:\Program Files\Mozilla Firefox\extensions\{1FCDDAAF-C166-48C9-B2D7-09A92EFC5677}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 24 May 2009 - 09:52 AM

Hello.

Please continue with the following.

Run SystemLook
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :file
    C:\Documents and Settings\k\Local Settings\Application Data\73648-88365-27475-00IP7-22847
    :dir
    C:\Documents and Settings\k\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


Run GooredFix using Option2 (Removal)

Please download GooredFix and save it to your Desktop.
Alternative Download Mirror #2

Please make sure all instances of Firefox are closed at this point before proceeding.
  • Please double-click Goored.exe on your Desktop to run it.
  • A window will appear, please Select 2. (Fix Goored) by typing 2 and pressing Enter.
  • Type Y at the prompt and press Enter. The removal process will begin
  • A log will open with the file after completion, please post the contents of that log in your next reply
*Note: The log can also be found on your desktop (Goored.txt)

Reboot your computer. Re-run DDS and post back with the DDS logs and the logs above.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 24 May 2009 - 01:53 PM

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 11:33 on 24/05/2009 by k (Administrator - Elevation successful)

========== file ==========

C:\Documents and Settings\k\Local Settings\Application Data\73648-88365-27475-00IP7-22847 - File found and opened.
MD5: EF42211831354B9D4052987D97C1219E
Created at 19:48 on 23/09/2007
Modified at 19:49 on 23/09/2007
Size: 48 bytes
Attributes: --a---
No version information available.

========== dir ==========

C:\Documents and Settings\k\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060} - Parameters: "(none)"

---Files---
1033.MST --a--c 3584 bytes [14:28 01/03/2007] [18:49 29/06/2006]
J2SE Runtime Environment 5.0 Update 6.msi --a--c 12125696 bytes [14:28 01/03/2007] [18:49 29/06/2006]

---Folders---
None found.

-=End Of File=-


GooredFix v1.92 by jpshortstuff
Log created at 11:35 on 24/05/2009 running Option #2 (k)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{C63C4060-9D18-45D5-8A73-DF7B66D8ECD1}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{1FCDDAAF-C166-48C9-B2D7-09A92EFC5677}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"



DDS (Ver_09-05-14.01) - NTFSx86
Run by k at 11:50:00.09 on 2009-05-24
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1452 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\k\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=1&hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172799228871
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174096892658
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-4 52624]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-17 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-17 21632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-1-4 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-1-4 648456]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42187\swinflash\PhlashNT.sys [2006-9-6 31616]

=============== Created Last 30 ================

2009-05-21 08:34 <DIR> --d----- c:\program files\NHN USA
2009-05-17 22:27 <DIR> --dsh--- c:\documents and settings\k\IECompatCache
2009-05-05 21:02 <DIR> --d----- c:\program files\Panda Security
2009-05-04 23:59 <DIR> --d----- c:\program files\LimeWire
2009-05-03 20:29 <DIR> --d----- c:\docume~1\k\applic~1\Malwarebytes
2009-05-03 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 00:05 <DIR> --d----- c:\program files\iPod
2009-05-03 00:05 <DIR> --d----- c:\program files\iTunes
2009-05-03 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 14:14 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
2009-04-30 15:06 <DIR> --dsh--- c:\documents and settings\k\IETldCache
2009-04-26 13:11 <DIR> --d----- c:\program files\Universal Document Converter
2009-04-26 12:58 <DIR> --d----- c:\program files\Abdio

==================== Find3M ====================

2006-12-04 11:09 0 -c-sh--- c:\windows\sminst\HPCD.SYS
2008-11-24 00:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\history\history.ie5\mshist012008112320081124\index.dat
2008-11-24 01:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-11-24 00:58 16,384 a--sh--- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat

============= FINISH: 11:50:24.64 ===============

Attached Files


Edited by MiztaMike, 24 May 2009 - 01:54 PM.


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 24 May 2009 - 05:07 PM

Hello.

Do you still get redirected? Check and see.

Please run an online scan for me. Install Java 6 update 13 to be able to run the online scan below (Kaspersky)

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with a New DDS log afterwards.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 25 May 2009 - 08:14 PM

well, i don't get redirected anymore! :thumbup2:

but as requested:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 22:18:00
Records in database: 2244592
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\k\Start Menu\Programs\StartUp
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 72965
Threat name 18
Infected objects 27
Suspicious objects 1
Duration of the scan 01:15:18

File name Threat name Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\4C.tmp Infected: Packed.Win32.Mondera.b 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4D.tmp Infected: Packed.Win32.Mondera.b 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4E.tmp Infected: Packed.Win32.Mondera.b 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4F.tmp Infected: Packed.Win32.Mondera.b 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0041647.exe Infected: Trojan-Downloader.Win32.Agent.bcst 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0044108.dll Infected: Trojan-Downloader.Win32.Agent.kpo 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0050275.exe Infected: Trojan.Win32.Agent.bktp 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0052333.exe Infected: HackTool.Win32.Injecter.n 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0053990.dll Infected: Trojan-Spy.Win32.BHO.p 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0068623.exe Infected: Packed.Win32.Black.a 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\aimb0YdXL.exe Infected: Packed.Win32.Black.a 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\Backup\senekac6dc.RB0 Infected: Trojan.Win32.Patched.dw 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\bherswjkk[1]_5d0.VIR Infected: Trojan.Win32.Small.ynp 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\CRACKED.EXE Infected: Backdoor.Win32.Bifrose.ahft 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\EE.tmp Infected: Trojan.Win32.Agent.cemi 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\epybk_948.VIR Infected: Trojan.Win32.Small.ynp 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\frmwrk32.exe Infected: Trojan-Downloader.Win32.Agent.bcst 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\hgGaxwvu.dll Infected: Packed.Win32.PolyCrypt.d 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\InjecTOR.exe Infected: HackTool.Win32.Injecter.n 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\ljJCstqr.dll Infected: Trojan.Win32.Agent.asus 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\log.exe Infected: Trojan.Win32.Agent.bktp 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\mss32[1].exe Infected: Trojan.Win32.Inject.kyv 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\seneka.sys Infected: Rootkit.Win32.Agent.gjw 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\SkypeComm.dll Infected: Trojan-Spy.Win32.BHO.p 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\userinit.exe Infected: Trojan.Win32.Agent.bgwt 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\userinit_f1c.VIR Infected: Trojan.Win32.Agent.bgwt 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\xpre.tmp Suspicious: Packed.Win32.PECompact 1
C:\WINDOWS\$NtServicePackUninstall$\sens.dll Infected: Trojan.Win32.Patched.eh 1
The selected area was scanned.


DDS (Ver_09-05-14.01) - NTFSx86
Run by k at 18:10:12.26 on 2009-05-25
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1137 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\k\Local Settings\Temp\jkos-k\binaries\ScanningProcess.exe
C:\Documents and Settings\k\Local Settings\Temp\jkos-k\binaries\ScanningProcess.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\k\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=1&hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172799228871
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174096892658
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-4 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
S?3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-1-4 488768]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-17 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-17 21632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-1-4 648456]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42187\swinflash\PhlashNT.sys [2006-9-6 31616]

=============== Created Last 30 ================

2009-05-25 02:30 <DIR> --d----- c:\program files\3DO
2009-05-21 08:34 <DIR> --d----- c:\program files\NHN USA
2009-05-17 22:27 <DIR> --dsh--- c:\documents and settings\k\IECompatCache
2009-05-05 21:02 <DIR> --d----- c:\program files\Panda Security
2009-05-04 23:59 <DIR> --d----- c:\program files\LimeWire
2009-05-03 20:29 <DIR> --d----- c:\docume~1\k\applic~1\Malwarebytes
2009-05-03 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 00:05 <DIR> --d----- c:\program files\iPod
2009-05-03 00:05 <DIR> --d----- c:\program files\iTunes
2009-05-03 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 14:14 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
2009-04-30 15:06 <DIR> --dsh--- c:\documents and settings\k\IETldCache
2009-04-26 13:11 <DIR> --d----- c:\program files\Universal Document Converter
2009-04-26 12:58 <DIR> --d----- c:\program files\Abdio

==================== Find3M ====================

2006-12-04 11:09 0 -c-sh--- c:\windows\sminst\HPCD.SYS
2008-11-24 00:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\history\history.ie5\mshist012008112320081124\index.dat
2008-11-24 01:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-11-24 00:58 16,384 a--sh--- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat

============= FINISH: 18:11:05.85 ===============

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 26 May 2009 - 04:20 PM

Hello.

Please empty out EVERYTHING Trend Micro detected and quarantined.

Alternatively you can navigate to the following folder and delete everything there.

C:\Program Files\Trend Micro\Internet Security\Quarantine <- Delete EVERYTHING in that folder.

Next...

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :file
    C:\WINDOWS\$NtServicePackUninstall$\sens.dll 
    :filefind 
    sens.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 27 May 2009 - 10:40 PM

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:38 on 27/05/2009 by k (Administrator - Elevation successful)

========== file ==========

C:\WINDOWS\$NtServicePackUninstall$\sens.dll - File found and opened.
MD5: 0F36B4A5084720320EAF4FF8A7088F71
Created at 16:30 on 14/09/2008
Modified at 04:00 on 16/03/2006
Size: 38912 bytes
Attributes: -----c
FileDescription: System Event Notification Service (SENS)
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion: 5.1.2600.2180
OriginalFilename: sens.dll
InternalName: sens.dll
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

========== filefind ==========

Searching for "sens.dll"
C:\WINDOWS\$NtServicePackUninstall$\sens.dll -----c 38912 bytes [16:30 14/09/2008] [04:00 16/03/2006] 0F36B4A5084720320EAF4FF8A7088F71
C:\WINDOWS\ServicePackFiles\i386\sens.dll ------ 39424 bytes [20:41 02/09/2008] [00:12 14/04/2008] 7FDD5D0684ECA8C1F68B4D99D124DCD0
C:\WINDOWS\system32\sens.dll --a--- 39424 bytes [04:00 16/03/2006] [00:12 14/04/2008] 7FDD5D0684ECA8C1F68B4D99D124DCD0

-=End Of File=-

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 28 May 2009 - 05:14 PM

Hello.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you wish to continue follow the steps below.


Please navigate and delete the following file. It has been patched. Although the size of the file is the same as my computer the MD5 hash is completely off.

Please delete it:

C:\WINDOWS\$NtServicePackUninstall$\sens.dll <-Delete this file. Empty the recycling bin afterwards.

Download and Run Scan with GMER

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image

  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Post a new set of DDS logs afterwards.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 MiztaMike

MiztaMike
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 28 May 2009 - 10:42 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-28 20:39:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8802EC60 ZwCreateKey
SSDT 8802E160 ZwCreateProcess
SSDT 8802E420 ZwCreateProcessEx
SSDT 8802FAC0 ZwCreateThread
SSDT 8802F1E0 ZwDeleteKey
SSDT 8802F4A0 ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF72B584C]
SSDT sptd.sys ZwEnumerateValueKey [0xF72B5BEC]
SSDT 8802FC60 ZwLoadDriver
SSDT sptd.sys ZwOpenKey [0xF72B0090]
SSDT 8802E6E0 ZwOpenProcess
SSDT sptd.sys ZwQueryKey [0xF72B5CC4]
SSDT sptd.sys ZwQueryValueKey [0xF72B5B44]
SSDT 8802EF20 ZwSetValueKey
SSDT 8802E9A0 ZwTerminateProcess
SSDT 8802F920 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504864 4 Bytes JMP ABF4D06B
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F68CF8AC 5 Bytes JMP 89EF5960
? System32\Drivers\adifb3y5.SYS The system cannot find the path specified. !
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[368] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\iPod\bin\iPodService.exe[388] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[400] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[512] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\HP\QuickPlay\QPService.exe[564] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe[632] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[664] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[700] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\ehome\ehtray.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\ehome\ehtray.exe[712] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[872] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[872] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\iTunes\iTunesHelper.exe[992] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\iTunes\iTunesHelper.exe[992] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\Explorer.EXE[1096] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[1096] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1096] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1096] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1276] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\eHome\ehmsas.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\eHome\ehmsas.exe[1316] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\eHome\ehmsas.exe[1316] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1388] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe[1492] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe[1660] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\dllhost.exe[2232] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe[2296] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\locator.exe[2404] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2432] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\alg.exe[2508] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\svchost.exe[2600] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe[2616] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text ...
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3164] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[3260] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[3280] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] kernel32.dll!ExitProcess 7C81CB12 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!EndPage 77F2DC61 6 Bytes JMP 5F190F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!EndDoc 77F2DEF1 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!StartPage 77F2F49E 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!AbortDoc 77F44CD2 6 Bytes JMP 5F1C0F5A
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!StartDocW 77F45962 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!StartDocW + 4 77F45966 2 Bytes [11, 5F]
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!StartDocA 77F45E79 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\k\Desktop\6d5yw1co.exe[3356] GDI32.dll!StartDocA + 4 77F45E7D 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3400] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\mqtgsvc.exe[3596] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72B0ABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72B0C00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72B0B82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72B172E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72B1604] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72C3B9A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A9A81D8

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

Device \Driver\usbuhci \Device\USBPDO-0 8A908790
Device \Driver\usbuhci \Device\USBPDO-1 8A908790
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9AA1D8
Device \Driver\dmio \Device\DmControl\DmConfig 8A9AA1D8
Device \Driver\dmio \Device\DmControl\DmPnP 8A9AA1D8
Device \Driver\dmio \Device\DmControl\DmInfo 8A9AA1D8
Device \Driver\usbuhci \Device\USBPDO-2 8A908790
Device \Driver\usbuhci \Device\USBPDO-3 8A908790
Device \Driver\usbehci \Device\USBPDO-4 8A8841D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2E59C014-38CF-4DFE-9F7B-C9BD56010E1F} 88643980

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A93A1D8
Device \Driver\Cdrom \Device\CdRom0 8A8821D8
Device \Driver\Cdrom \Device\CdRom1 8A8821D8
Device \Driver\iaStor \Device\Ide\iaStor0 8A9A91D8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 8A9A91D8
Device \Driver\00000109 \Device\00000066 sptd.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 88643980
Device \Driver\NetBT \Device\NetbiosSmb 88643980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DDA19D5A-13D7-4710-9921-1835A049C035} 88643980

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 8A908790
Device \Driver\usbuhci \Device\USBFDO-1 8A908790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 885E2888
Device \Driver\usbuhci \Device\USBFDO-2 8A908790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 885E2888
Device \Driver\usbuhci \Device\USBFDO-3 8A908790
Device \Driver\usbehci \Device\USBFDO-4 8A8841D8
Device \Driver\Ftdisk \Device\FtControl 8A93A1D8
Device \Driver\adifb3y5 \Device\Scsi\adifb3y51 89E64980
Device \Driver\adifb3y5 \Device\Scsi\adifb3y51Port2Path0Target0Lun0 89E64980
Device \FileSystem\Cdfs \Cdfs 8850A980

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1823745297
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1624708065
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6B 0xB8 0xAB 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x94 0xDE 0x50 0x3B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6B 0xB8 0xAB 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x94 0xDE 0x50 0x3B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6B 0xB8 0xAB 0x99 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x94 0xDE 0x50 0x3B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BA5F1F0E-C381-98BB-9DCF-2D1A00C7C588}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BA5F1F0E-C381-98BB-9DCF-2D1A00C7C588}@iamlenafinkcjjddbp 0x66 0x61 0x63 0x6F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E272E672-6582-8BCB-29AD-2E5FC29CF9D4}

---- EOF - GMER 1.0.15 ----


DDS (Ver_09-05-14.01) - NTFSx86
Run by k at 20:39:58.43 on 2009-05-28
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1365 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\ijji\ENGLISH\u_gbound.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\k\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/webhp?complete=1&hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [OE] "c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172799228871
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174096892658
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-1-4 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-18 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-5 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2007-9-18 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2008-1-4 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-1-4 648456]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-6-17 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-6-17 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-17 21632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WinPhlash;WinPhlash;c:\swsetup\sp42187\swinflash\PhlashNT.sys [2006-9-6 31616]

=============== Created Last 30 ================

2009-05-26 16:46 <DIR> --d----- c:\program files\Cheat Engine
2009-05-25 02:30 <DIR> --d----- c:\program files\3DO
2009-05-21 08:34 <DIR> --d----- c:\program files\NHN USA
2009-05-17 22:27 <DIR> --dsh--- c:\documents and settings\k\IECompatCache
2009-05-05 21:02 <DIR> --d----- c:\program files\Panda Security
2009-05-04 23:59 <DIR> --d----- c:\program files\LimeWire
2009-05-03 20:29 <DIR> --d----- c:\docume~1\k\applic~1\Malwarebytes
2009-05-03 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 20:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-03 00:05 <DIR> --d----- c:\program files\iPod
2009-05-03 00:05 <DIR> --d----- c:\program files\iTunes
2009-05-03 00:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-01 14:14 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
2009-04-30 15:06 <DIR> --dsh--- c:\documents and settings\k\IETldCache

==================== Find3M ====================

2006-12-04 11:09 0 -c-sh--- c:\windows\sminst\HPCD.SYS
2008-11-24 00:58 32,768 a--sh--- c:\windows\system32\config\systemprofile\history\history.ie5\mshist012008112320081124\index.dat
2008-11-24 01:09 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-11-24 00:58 16,384 a--sh--- c:\windows\system32\config\systemprofile\temporary internet files\content.ie5\index.dat

============= FINISH: 20:40:31.67 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users