Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirects


  • Please log in to reply
16 replies to this topic

#1 The1337

The1337

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 28 June 2009 - 01:13 AM

When I search on google or yahoo, they sometimes redirect to a random site, and then redirect to another site. Sometimes it brings me to a legitimate though sketchy site and other times it sends me to a site filled with viruses. Other times, the website doesn't even work. The weird thing is that sometimes the I can go to all the links the search provides succesfully, but if I search again or refresh, all the links redirect. Bing searches all work, but google and yahoo don't.


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 23:01:07.93 on Sat 06/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.338 [GMT -7:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Opera\opera.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe"
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\santa.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2010\klwtbbho.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\ucznkpyu.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\mozilla firefox\components\SABFF20.DLL
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\opera 10\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npmmaud.dll
FF - plugin: c:\program files\opera\program\plugins\npmmprog.dll
FF - plugin: c:\program files\opera\program\plugins\npmmvid.dll
FF - plugin: c:\program files\opera\program\plugins\npmmzip.dll
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{7D05BEBD-C0E3-4537-B648-0F7D85D67D80}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-2-19 127744]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-25 296976]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-26 198224]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-26 31824]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-26 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2010\avp.exe [2009-5-25 303376]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-5-26 361672]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-5-26 3264200]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-15 40160]

=============== Created Last 30 ================

2009-06-27 22:56 161,792 a------- c:\windows\SWREG.exe
2009-06-27 22:56 155,136 a------- c:\windows\PEV.exe
2009-06-27 22:56 98,816 a------- c:\windows\sed.exe
2009-06-27 22:55 <DIR> --ds---- C:\ComboFix
2009-06-27 22:55 388,608 a------- c:\windows\system32\CF3993.exe
2009-06-27 14:38 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-25 22:08 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-06-25 22:07 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-25 22:07 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-23 19:38 657,207 a------- c:\windows\Condition Zero Uninstaller.exe
2009-06-23 19:34 <DIR> --d----- C:\Valve
2009-06-19 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-06-15 09:50 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 09:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 22:12 <DIR> --d----- c:\program files\Call of Duty
2009-06-12 22:11 745 a------- c:\windows\CoD.INI
2009-06-07 15:23 <DIR> --d----- c:\program files\Opera 10 Beta
2009-06-04 17:45 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-04 17:45 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-06-04 17:45 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-01 23:24 <DIR> --d----- C:\SAVE
2009-06-01 23:21 56 a------- c:\windows\sierra.ini
2009-06-01 23:21 <DIR> --d----- c:\program files\Sierra On-Line
2009-06-01 23:20 <DIR> --d----- C:\Sierra
2009-06-01 23:17 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-01 23:08 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\DAEMON Tools Lite
2009-06-01 23:04 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-01 22:49 <DIR> --d----- c:\program files\WinUHA
2009-06-01 17:11 258,352 a------- c:\windows\system32\Unicows.dll
2009-06-01 17:11 224,016 a------- c:\windows\system32\TABCTL32.OCX
2009-06-01 17:11 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-06-01 17:11 1,315 a------- c:\docume~1\hp_adm~1\applic~1\pic18.exe
2009-05-31 11:39 68,424 a------- c:\windows\system32\drivers\GRD.sys
2009-05-31 08:59 50,632 a------- c:\windows\system32\drivers\MiniIcpt.sys
2009-05-31 08:58 51,016 a------- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-05-31 08:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\G DATA
2009-05-31 08:55 <DIR> --d----- c:\program files\G Data
2009-05-31 08:55 <DIR> --d----- c:\program files\common files\G DATA

==================== Find3M ====================

2009-05-25 05:21 219,664 a------- c:\windows\system32\klogon.dll
2009-05-25 05:18 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-05-24 15:30 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-05-16 20:59 19,472 a------- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 17:46 31,760 a------- c:\windows\system32\drivers\klim5.sys
2009-05-07 08:44 344,064 -------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-02 11:20 78,280 a------- c:\windows\hpfins05.dat
2009-05-01 14:03 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 14:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 14:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 14:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 14:02 685,056 a------- c:\windows\system32\DivX.dll
2009-05-01 13:54 231,176 a------- c:\windows\system32\PDBoot.exe
2009-04-28 23:21 1,769 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EX272AA-ABA a1520n_YC_0Pavi_QCNH623_E63NAemMPA2_48_INAGAMI2_SASUSTek Computer INC._V2.00_B3.11_T060919_WXP2_L409_M959_J250_7AMD_8Athlon 64 X2 Dual Core_92_#060904_N_Z11C10620_G10DE0241.MRK
2009-04-27 02:29 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-20 14:27 27,612 a------- c:\windows\syscall.dat
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 02:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 22:24 4,096 a------- c:\windows\d3dx.dat
2009-04-15 13:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-15 12:35 2,150,400 a------- c:\documents and settings\hp_administrator\X2.exe
2008-10-23 17:40 291,255 a---hr-- c:\program files\Norton2009Reset.exe
2008-08-24 17:21 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2008-08-24 17:21 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2008-06-02 22:28 604 a---h--- c:\program files\STLL Notifier
2008-01-14 00:04 61,440 a------- c:\documents and settings\hp_administrator\cpil.dll
2008-01-12 22:46 96,374 a------- c:\docume~1\alluse~1\applic~1\firstlsp.reg.dat
2007-11-16 17:20 48 a------- c:\documents and settings\hp_administrator\Settings.dat
2006-10-24 20:24 518 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
1997-05-16 09:52 32,528 a------- c:\documents and settings\hp_administrator\OLEPRO32.DLL
1997-05-16 09:52 271,632 a------- c:\documents and settings\hp_administrator\MSVCRT.DLL
1997-05-16 09:52 939,792 a------- c:\documents and settings\hp_administrator\MFC42U.DLL
1997-05-16 09:52 941,840 a------- c:\documents and settings\hp_administrator\MFC42.DLL
1997-05-16 09:52 330,512 a------- c:\documents and settings\hp_administrator\MSPAINT.EXE

============= FINISH: 23:03:19.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 30 June 2009 - 11:01 AM

Hi,

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Let me know if the redirects have gone after that, and also post a new DDS log (DDS.txt).
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 June 2009 - 11:24 AM

GooredFix v1.92 by jpshortstuff
Log created at 09:22 on 30/06/2009 running Option #2 (HP_Administrator)
Firefox version 3.0.11 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


DDS.txt


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 9:15:02.85 on Tue 06/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.419 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\arservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\System32\wudfhost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\JetAudio\jetAudio.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\santa.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\ucznkpyu.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\mozilla firefox\components\SABFF20.DLL
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\opera 10\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npmmaud.dll
FF - plugin: c:\program files\opera\program\plugins\npmmprog.dll
FF - plugin: c:\program files\opera\program\plugins\npmmvid.dll
FF - plugin: c:\program files\opera\program\plugins\npmmzip.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-28 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-28 46864]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-2-19 127744]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-29 296976]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-5-25 303376]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-28 33552]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-15 40160]

=============== Created Last 30 ================

2009-06-29 19:23 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-29 19:23 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-28 09:00 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-28 09:00 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-28 09:00 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-27 22:56 161,792 a------- c:\windows\SWREG.exe
2009-06-27 22:56 155,136 a------- c:\windows\PEV.exe
2009-06-27 22:56 98,816 a------- c:\windows\sed.exe
2009-06-27 22:55 <DIR> --ds---- C:\ComboFix
2009-06-27 22:55 388,608 a------- c:\windows\system32\CF3993.exe
2009-06-23 19:38 657,207 a------- c:\windows\Condition Zero Uninstaller.exe
2009-06-23 19:34 <DIR> --d----- C:\Valve
2009-06-19 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-06-15 09:50 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 09:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 22:12 <DIR> --d----- c:\program files\Call of Duty
2009-06-12 22:11 745 a------- c:\windows\CoD.INI
2009-06-08 12:07 232,200 a------- c:\windows\system32\PDBoot.exe
2009-06-08 10:00 71,696 a------- c:\windows\system32\drivers\DefragFs.sys
2009-06-07 15:23 <DIR> --d----- c:\program files\Opera 10 Beta
2009-06-04 17:45 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-04 17:45 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-06-04 17:45 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-01 23:24 <DIR> --d----- C:\SAVE
2009-06-01 23:21 56 a------- c:\windows\sierra.ini
2009-06-01 23:21 <DIR> --d----- c:\program files\Sierra On-Line
2009-06-01 23:20 <DIR> --d----- C:\Sierra
2009-06-01 23:17 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-01 23:08 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\DAEMON Tools Lite
2009-06-01 23:04 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-01 22:49 <DIR> --d----- c:\program files\WinUHA
2009-06-01 17:11 258,352 a------- c:\windows\system32\Unicows.dll
2009-06-01 17:11 224,016 a------- c:\windows\system32\TABCTL32.OCX
2009-06-01 17:11 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-06-01 17:11 1,315 a------- c:\docume~1\hp_adm~1\applic~1\pic18.exe
2009-05-31 11:39 68,424 a------- c:\windows\system32\drivers\GRD.sys

==================== Find3M ====================

2009-05-31 08:59 50,632 a------- c:\windows\system32\drivers\MiniIcpt.sys
2009-05-31 08:58 51,016 a------- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-05-25 05:21 219,664 a------- c:\windows\system32\klogon.dll
2009-05-25 05:18 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-05-24 15:30 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-05-16 20:59 19,472 a------- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 17:46 31,760 a------- c:\windows\system32\drivers\klim5.sys
2009-05-07 08:44 344,064 -------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-02 11:20 78,280 a------- c:\windows\hpfins05.dat
2009-05-01 14:03 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 14:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 14:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 14:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 14:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-27 02:29 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-20 14:27 27,612 a------- c:\windows\syscall.dat
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 02:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 22:24 4,096 a------- c:\windows\d3dx.dat
2009-04-15 13:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-15 12:35 2,150,400 a------- c:\documents and settings\hp_administrator\X2.exe
2008-10-23 17:40 291,255 a---hr-- c:\program files\Norton2009Reset.exe
2008-08-24 17:21 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2008-08-24 17:21 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2008-06-02 22:28 604 a---h--- c:\program files\STLL Notifier
2008-01-14 00:04 61,440 a------- c:\documents and settings\hp_administrator\cpil.dll
2008-01-12 22:46 96,374 a------- c:\docume~1\alluse~1\applic~1\firstlsp.reg.dat
2007-11-16 17:20 48 a------- c:\documents and settings\hp_administrator\Settings.dat
2006-10-24 20:24 518 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
1997-05-16 09:52 32,528 a------- c:\documents and settings\hp_administrator\OLEPRO32.DLL
1997-05-16 09:52 271,632 a------- c:\documents and settings\hp_administrator\MSVCRT.DLL
1997-05-16 09:52 939,792 a------- c:\documents and settings\hp_administrator\MFC42U.DLL
1997-05-16 09:52 941,840 a------- c:\documents and settings\hp_administrator\MFC42.DLL
1997-05-16 09:52 330,512 a------- c:\documents and settings\hp_administrator\MSPAINT.EXE

============= FINISH: 9:18:24.39 ===============


So far all redirects have stopped

#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 30 June 2009 - 11:37 AM

Hi,

Just a few things left to clear up.

Please download OTM by OldTimer.
  • Save it to your desktop.
  • Please click OTM and then click >> run.
  • Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
explorer.exe

:files
c:\windows\system32\sdra64.exe

:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon]
"Userinit"=c:\windows\system32\userinit.exe,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"C4069E3A-68F1-403E-B40E-20066696354B"=-

:Commands
[emptytemp]
[Reboot]
  • Return to OTM, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Let me know how things are running after that, and post another DDS log so I can check everything is gone.

Edited by jpshortstuff, 30 June 2009 - 11:37 AM.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 June 2009 - 02:07 PM

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder c:\windows\system32\sdra64.exe not found.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\\"Userinit"|c:\windows\system32\userinit.exe, /E :invalid edit format. Invalid data type.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{4F07DA45-8170-4859-9B5F-037EF2970034} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F07DA45-8170-4859-9B5F-037EF2970034}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\C4069E3A-68F1-403E-B40E-20066696354B not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 31612 bytes
->Temporary Internet Files folder emptied: 80972 bytes

User: All Users
->Temp folder emptied: 6465571 bytes

User: Default User
->Temp folder emptied: 31612 bytes
->Temporary Internet Files folder emptied: 80972 bytes

User: HP_Administrator
->Temp folder emptied: 874842897 bytes
->Temporary Internet Files folder emptied: 105720654 bytes
->Java cache emptied: 7932901 bytes
->FireFox cache emptied: 6931168 bytes
->Google Chrome cache emptied: 7567451 bytes
->Apple Safari cache emptied: 5939674 bytes
->Opera cache emptied: 1152110574 bytes

User: HP_Administrator.COMPUTER.000
->Temp folder emptied: 190973457 bytes
->Temporary Internet Files folder emptied: 65799728 bytes
->Java cache emptied: 13615817 bytes
->FireFox cache emptied: 7940972 bytes

User: HP_Administrator.FAMILYCOMPUTER
->Temp folder emptied: 462184412 bytes
->Temporary Internet Files folder emptied: 1277228363 bytes
->Java cache emptied: 7692820 bytes
->FireFox cache emptied: 11937010 bytes
->Google Chrome cache emptied: 10773419 bytes
->Opera cache emptied: 140230574 bytes

User: HP_Administrator.MYCOMPUTER
->Temp folder emptied: 81003224 bytes
->Temporary Internet Files folder emptied: 23938205 bytes
->FireFox cache emptied: 2793408 bytes

User: HP_ADM~1~FAM

User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 1059968 bytes
->Temporary Internet Files folder emptied: 18526813 bytes

User: NetworkService
->Temp folder emptied: 1084388 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 1211910 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B5.TMP folder deleted successfully.
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 3553081 bytes
%systemroot%\System32 .tmp files removed: 21273105 bytes
Windows Temp folder emptied: 877851320 bytes

RecycleBin emptied: 4123057503 bytes

Total Files Cleaned = 878.84 mb


OTM by OldTimer - Version 3.0.0.2 log created on 06302009_114642

Files moved on Reboot...

Registry entries deleted on Reboot...



DDS.txt


DDS (Ver_09-06-26.01) - NTFSx86
Run by HP_Administrator at 12:02:19.10 on Tue 06/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.490 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\arservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Opera\opera.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [Google Update] "c:\documents and settings\hp_administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\santa.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\ucznkpyu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\mozilla firefox\components\SABFF20.DLL
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\hp_administrator\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\opera 10 preview\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\opera 10\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM3.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npmmaud.dll
FF - plugin: c:\program files\opera\program\plugins\npmmprog.dll
FF - plugin: c:\program files\opera\program\plugins\npmmvid.dll
FF - plugin: c:\program files\opera\program\plugins\npmmzip.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-5-24 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-28 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-28 46864]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2009-2-19 127744]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-6-29 296976]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-5-25 303376]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-28 33552]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-15 40160]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-06-30 11:46 <DIR> --d----- C:\_OTM
2009-06-29 19:23 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-06-29 19:23 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-06-28 09:00 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-28 09:00 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-28 09:00 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-27 22:56 161,792 a------- c:\windows\SWREG.exe
2009-06-27 22:56 155,136 a------- c:\windows\PEV.exe
2009-06-27 22:56 98,816 a------- c:\windows\sed.exe
2009-06-27 22:55 <DIR> --ds---- C:\ComboFix
2009-06-27 22:55 388,608 a------- c:\windows\system32\CF3993.exe
2009-06-27 14:38 <DIR> --dsh--- c:\windows\system32\lowsec
2009-06-23 19:38 657,207 a------- c:\windows\Condition Zero Uninstaller.exe
2009-06-23 19:34 <DIR> --d----- C:\Valve
2009-06-19 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-06-15 09:50 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 09:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-12 22:12 <DIR> --d----- c:\program files\Call of Duty
2009-06-12 22:11 745 a------- c:\windows\CoD.INI
2009-06-08 12:07 232,200 a------- c:\windows\system32\PDBoot.exe
2009-06-08 10:00 71,696 a------- c:\windows\system32\drivers\DefragFs.sys
2009-06-07 15:23 <DIR> --d----- c:\program files\Opera 10 Beta
2009-06-04 17:45 129,784 -------- c:\windows\system32\pxafs.dll
2009-06-04 17:45 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-06-04 17:45 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-06-01 23:24 <DIR> --d----- C:\SAVE
2009-06-01 23:21 56 a------- c:\windows\sierra.ini
2009-06-01 23:21 <DIR> --d----- c:\program files\Sierra On-Line
2009-06-01 23:20 <DIR> --d----- C:\Sierra
2009-06-01 23:17 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-06-01 23:08 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\DAEMON Tools Lite
2009-06-01 23:04 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-01 22:49 <DIR> --d----- c:\program files\WinUHA
2009-06-01 17:11 258,352 a------- c:\windows\system32\Unicows.dll
2009-06-01 17:11 224,016 a------- c:\windows\system32\TABCTL32.OCX
2009-06-01 17:11 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-06-01 17:11 1,315 a------- c:\docume~1\hp_adm~1\applic~1\pic18.exe

==================== Find3M ====================

2009-05-31 11:39 68,424 a------- c:\windows\system32\drivers\GRD.sys
2009-05-31 08:59 50,632 a------- c:\windows\system32\drivers\MiniIcpt.sys
2009-05-31 08:58 51,016 a------- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-05-25 05:21 219,664 a------- c:\windows\system32\klogon.dll
2009-05-25 05:18 27,507 a------- c:\windows\system32\drivers\klopp.dat
2009-05-24 15:30 128,016 a------- c:\windows\system32\drivers\kl1.sys
2009-05-16 20:59 19,472 a------- c:\windows\system32\drivers\klmouflt.sys
2009-05-13 17:46 31,760 a------- c:\windows\system32\drivers\klim5.sys
2009-05-07 08:44 344,064 -------- c:\windows\system32\localspl.dll
2009-05-07 08:44 344,064 -------- c:\windows\system32\dllcache\localspl.dll
2009-05-02 11:20 78,280 a------- c:\windows\hpfins05.dat
2009-05-01 14:03 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 14:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 14:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 14:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 14:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 14:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-27 02:29 18,432 -------- c:\windows\system32\dllcache\iedw.exe
2009-04-20 14:27 27,612 a------- c:\windows\syscall.dat
2009-04-17 02:58 1,846,656 a------- c:\windows\system32\win32k.sys
2009-04-17 02:58 1,846,656 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-16 22:24 4,096 a------- c:\windows\d3dx.dat
2009-04-15 13:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:11 584,192 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-02-15 12:35 2,150,400 a------- c:\documents and settings\hp_administrator\X2.exe
2008-10-23 17:40 291,255 a---hr-- c:\program files\Norton2009Reset.exe
2008-08-24 17:21 87,608 a------- c:\docume~1\hp_adm~1\applic~1\inst.exe
2008-08-24 17:21 47,360 a------- c:\docume~1\hp_adm~1\applic~1\pcouffin.sys
2008-06-02 22:28 604 a---h--- c:\program files\STLL Notifier
2008-01-14 00:04 61,440 a------- c:\documents and settings\hp_administrator\cpil.dll
2008-01-12 22:46 96,374 a------- c:\docume~1\alluse~1\applic~1\firstlsp.reg.dat
2007-11-16 17:20 48 a------- c:\documents and settings\hp_administrator\Settings.dat
2006-10-24 20:24 518 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
1997-05-16 09:52 32,528 a------- c:\documents and settings\hp_administrator\OLEPRO32.DLL
1997-05-16 09:52 271,632 a------- c:\documents and settings\hp_administrator\MSVCRT.DLL
1997-05-16 09:52 939,792 a------- c:\documents and settings\hp_administrator\MFC42U.DLL
1997-05-16 09:52 941,840 a------- c:\documents and settings\hp_administrator\MFC42.DLL
1997-05-16 09:52 330,512 a------- c:\documents and settings\hp_administrator\MSPAINT.EXE

============= FINISH: 12:05:40.07 ===============

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 30 June 2009 - 02:14 PM

Hi,

Please run OTM again with this script:
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon]
"Userinit"="c:\windows\system32\userinit.exe,"
It should only take a couple of seconds.

How are things running now?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 June 2009 - 02:31 PM

I just tried some searches on opera, and had some redirects. It seems like there are only redirects only after leaving the browser open for over 30 minutes.

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 30 June 2009 - 02:34 PM

Is it just Opera you are being redirected on? What kind of sites are you being redirected to?

You appear to have MalwareBytes' Anti-Malware on your system, I would recommend that you open it, update it, and then run a Quick Scan to see if it finds anything.

In addition, we should just check you don't have any Rootkits on your system.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Right-click gmer.exe and select Run As Administrator. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 30 June 2009 - 11:13 PM

The problem only seems to occur for Opera and not Firefox. I ran a scan with Malwarebytes antimalware, and it found some things. So far there haven't been anymore redirects.

Somewhere in the middle of the GMER scan, my computer restarts and there is a serious error. I think it was scanning somewhere in the C:\Program Files\Windows

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 01 July 2009 - 03:06 AM

Can you please try GMER in Safe Mode (restart and tap F8 just before Windows begins loading)?
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#11 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 July 2009 - 11:49 AM

Ok, I'll try that, and the sites it redirected me to today were aahi.com, aesa-mw.org, aezz.net, bizrate.com, rnge.net, toseeka.com, and waterautomobile.com.

#12 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 02 July 2009 - 10:19 AM

I ran a scan yesterday, but the save button disappeared so I couldn't save the log file, so I did another scan overnight. The log seems pretty sparse compared to the other scan, so I'm not sure if it actually scanned.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-02 07:18:43
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x62 ? 86366BF8
INT 0x63 ? 862CAF00
INT 0x73 ? 86366BF8
INT 0x83 ? 86366BF8
INT 0x83 ? 86366BF8
INT 0x83 ? 86366BF8
INT 0xB4 ? 862CAF00

Code 860D5970 ZwEnumerateKey
Code 8619AC60 ZwFlushInstructionCache
Code 8619100E IofCallDriver
Code 8620863E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 86191013
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 86208643
PAGE ntoskrnl.exe!ZwEnumerateKey 805783A4 5 Bytes JMP 860D5974
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80585F1C 5 Bytes JMP 8619AC64
? spew.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6E4362C 5 Bytes JMP 862CA4E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 863D92D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F76B3C4C] spew.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F76B3CA0] spew.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7683042] spew.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F768313E] spew.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F76830C0] spew.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7683800] spew.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F76836D6] spew.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 862CA5E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7692E9C] spew.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!!
Service C:\WINDOWS\system32\cisvc.exe? (*** hidden *** ) [MANUAL] CiSvc <-- ROOTKIT !!!
Service C:\WINDOWS\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINDOWS\system32\imapi.exe? (*** hidden *** ) [MANUAL] ImapiService <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] PolicyAgent <-- ROOTKIT !!!
Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] ProtectedStorage <-- ROOTKIT !!!
Service C:\WINDOWS\system32\drivers\SKYNETrrljiwaq.sys (*** hidden *** ) [SYSTEM] SKYNETiwtuuesk <-- ROOTKIT !!!
Service C:\WINDOWS\system32\spoolsv.exe? (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!!
Service C:\WINDOWS\System32\ups.exe? (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#13 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 02 July 2009 - 10:22 AM

Nope, that's the whole log. Looks like you've got a nasty Rootkit that's been hiding from us though.

Please delete any existing copies of ComboFix you have.

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3

Posted Image

Posted Image

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If it doesn't work, please try in Safe Mode.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#14 The1337

The1337
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 02 July 2009 - 12:58 PM

ComboFix 09-07-01.04 - HP_Administrator 07/02/2009 9:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.634 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\Adobe\crc.dat
c:\documents and settings\HP_Administrator\Application Data\inst.exe
c:\documents and settings\HP_Administrator\MSPAINT.EXE
c:\windows\Installer\1007d5.msi
c:\windows\Installer\105d1e6.msp
c:\windows\Installer\10af88d.msp
c:\windows\Installer\10af896.msp
c:\windows\Installer\10af8de.msp
c:\windows\Installer\10af8f0.msp
c:\windows\Installer\10af900.msp
c:\windows\Installer\10af907.msp
c:\windows\Installer\10c5da9.msi
c:\windows\Installer\10de47c.msi
c:\windows\Installer\1141c9.msp
c:\windows\Installer\11a344.msi
c:\windows\Installer\11a86e3.msi
c:\windows\Installer\11dee7.msi
c:\windows\Installer\12424aa.msp
c:\windows\Installer\124690.msi
c:\windows\Installer\129bed9.msi
c:\windows\Installer\12b1004.msi
c:\windows\Installer\12dac1.msi
c:\windows\Installer\12dae2.msi
c:\windows\Installer\12f70a1.msi
c:\windows\Installer\136a6d.msi
c:\windows\Installer\136a76.msi
c:\windows\Installer\136a7e.msi
c:\windows\Installer\136a92.msi
c:\windows\Installer\136a9b.msi
c:\windows\Installer\136aa7.msi
c:\windows\Installer\136aae.msi
c:\windows\Installer\136ab6.msi
c:\windows\Installer\136abe.msi
c:\windows\Installer\136acb.msi
c:\windows\Installer\136add.msi
c:\windows\Installer\136ae6.msi
c:\windows\Installer\136aee.msi
c:\windows\Installer\136af6.msi
c:\windows\Installer\136afe.msi
c:\windows\Installer\136b05.msi
c:\windows\Installer\136b0d.msi
c:\windows\Installer\136b15.msi
c:\windows\Installer\1371bf.msi
c:\windows\Installer\1371ce.msp
c:\windows\Installer\1373b1.msi
c:\windows\Installer\1373b7.msi
c:\windows\Installer\13a4d6.msi
c:\windows\Installer\13a4ee.msp
c:\windows\Installer\13b24.msi
c:\windows\Installer\13b2a.msi
c:\windows\Installer\149bb9.msp
c:\windows\Installer\149cc0.msi
c:\windows\Installer\14a5fe0.msi
c:\windows\Installer\14b474.msp
c:\windows\Installer\14f9b8.msp
c:\windows\Installer\15290ba.msi
c:\windows\Installer\152cc13.msi
c:\windows\Installer\152cc1f.msi
c:\windows\Installer\15a4e41.msi
c:\windows\Installer\15a4e47.msi
c:\windows\Installer\15a4e4d.msi
c:\windows\Installer\15a4e53.msi
c:\windows\Installer\15a4e59.msi
c:\windows\Installer\15a4e5f.msi
c:\windows\Installer\15a4e65.msi
c:\windows\Installer\15a4e6c.msi
c:\windows\Installer\15a4e7c.msi
c:\windows\Installer\15a4e86.msi
c:\windows\Installer\15a4e8e.msi
c:\windows\Installer\15a4e95.msi
c:\windows\Installer\15a4e9b.msi
c:\windows\Installer\15a4ea8.msi
c:\windows\Installer\15a4eae.msi
c:\windows\Installer\15a4eb4.msi
c:\windows\Installer\15a4eba.msi
c:\windows\Installer\15a4ec0.msi
c:\windows\Installer\15a4ec6.msi
c:\windows\Installer\15a4edf.msi
c:\windows\Installer\15a4eea.msi
c:\windows\Installer\15a4ef0.msi
c:\windows\Installer\15a4ef6.msi
c:\windows\Installer\15c2219.msi
c:\windows\Installer\15c2231.msp
c:\windows\Installer\1605ab.msi
c:\windows\Installer\16d6ef.msi
c:\windows\Installer\16f3fc4.msi
c:\windows\Installer\170efc.msi
c:\windows\Installer\1731c69.msp
c:\windows\Installer\17396ba.msi
c:\windows\Installer\17aa6c5.msi
c:\windows\Installer\17aa6d3.msi
c:\windows\Installer\17aa6da.msi
c:\windows\Installer\17aa71b.msi
c:\windows\Installer\17aa723.msi
c:\windows\Installer\17bcf0.msi
c:\windows\Installer\17e3fc.msi
c:\windows\Installer\18003d1.msi
c:\windows\Installer\1828a2.msi
c:\windows\Installer\1831b02.msi
c:\windows\Installer\183ef4d.msi
c:\windows\Installer\188d3d.msi
c:\windows\Installer\18cb4ae.msi
c:\windows\Installer\18cb4c6.msi
c:\windows\Installer\18cb4c7.msp
c:\windows\Installer\18cb4c8.msp
c:\windows\Installer\18cb4c9.msp
c:\windows\Installer\18cb4ca.msp
c:\windows\Installer\18cb4cb.msp
c:\windows\Installer\18cb4cc.msp
c:\windows\Installer\18cb4cd.msp
c:\windows\Installer\18cb4ce.msp
c:\windows\Installer\18cb4cf.msp
c:\windows\Installer\18ff904.msi
c:\windows\Installer\18ff91c.msp
c:\windows\Installer\1914d25.msi
c:\windows\Installer\1914d31.msi
c:\windows\Installer\192ad72.msi
c:\windows\Installer\192ad73.msp
c:\windows\Installer\192ad74.msp
c:\windows\Installer\192ad75.msp
c:\windows\Installer\192ad76.msp
c:\windows\Installer\192ad77.msp
c:\windows\Installer\192ad78.msp
c:\windows\Installer\192ad79.msp
c:\windows\Installer\192ad7a.msp
c:\windows\Installer\192ad7b.msp
c:\windows\Installer\192ad7c.msp
c:\windows\Installer\19475e3.msi
c:\windows\Installer\1975710.msi
c:\windows\Installer\197827.msi
c:\windows\Installer\19932c1.msi
c:\windows\Installer\19b829.msi
c:\windows\Installer\19b835.msi
c:\windows\Installer\1a08b86.msi
c:\windows\Installer\1a08b9f.msp
c:\windows\Installer\1af599.msi
c:\windows\Installer\1b0512d.msi
c:\windows\Installer\1b1171e.msi
c:\windows\Installer\1b119a6.msi
c:\windows\Installer\1b4a43b.msi
c:\windows\Installer\1badeb4.msi
c:\windows\Installer\1bb578b.msi
c:\windows\Installer\1bf80e.msi
c:\windows\Installer\1c0c8fd.msi
c:\windows\Installer\1d1180c.msi
c:\windows\Installer\1d1180d.msp
c:\windows\Installer\1d1180e.msp
c:\windows\Installer\1d1180f.msp
c:\windows\Installer\1d11810.msp
c:\windows\Installer\1d11811.msp
c:\windows\Installer\1d11812.msp
c:\windows\Installer\1d11813.msp
c:\windows\Installer\1d11814.msp
c:\windows\Installer\1d11815.msp
c:\windows\Installer\1d588ad.msi
c:\windows\Installer\1d70b3d.msp
c:\windows\Installer\1d70b53.msp
c:\windows\Installer\1dc99fd.msi
c:\windows\Installer\1dc9a03.msi
c:\windows\Installer\1dc9a0d.msi
c:\windows\Installer\1dc9a19.msi
c:\windows\Installer\1dc9a23.msi
c:\windows\Installer\1e2b37.msi
c:\windows\Installer\1e66c58.msi
c:\windows\Installer\1ef5878.msp
c:\windows\Installer\1f414e.msi
c:\windows\Installer\1f41f0.msi
c:\windows\Installer\204d711.msi
c:\windows\Installer\204d71a.msi
c:\windows\Installer\224861.msi
c:\windows\Installer\2263e.msi
c:\windows\Installer\22bf0f.msi
c:\windows\Installer\22c16e.msi
c:\windows\Installer\22cc4e8.msi
c:\windows\Installer\22cc4ee.msi
c:\windows\Installer\22cc4f4.msi
c:\windows\Installer\22cc4fa.msi
c:\windows\Installer\22cc500.msi
c:\windows\Installer\22d495.msi
c:\windows\Installer\22f0584.msp
c:\windows\Installer\22f059d.msp
c:\windows\Installer\22f05b4.msp
c:\windows\Installer\22f05cb.msp
c:\windows\Installer\2325fed.msp
c:\windows\Installer\2325ff5.msi
c:\windows\Installer\2338a1.msi
c:\windows\Installer\239cb2.msi
c:\windows\Installer\239cb8.msi
c:\windows\Installer\239cc2.msi
c:\windows\Installer\239cce.msi
c:\windows\Installer\23fdc3d.msi
c:\windows\Installer\250f54.msi
c:\windows\Installer\250f5f.msi
c:\windows\Installer\256f93.msi
c:\windows\Installer\25f463.msi
c:\windows\Installer\261741d.msp
c:\windows\Installer\263c74.msi
c:\windows\Installer\267b08.msi
c:\windows\Installer\26e79f.msp
c:\windows\Installer\275d710.msi
c:\windows\Installer\27f1cc.msp
c:\windows\Installer\286f742.msi
c:\windows\Installer\299a686.msi
c:\windows\Installer\29fd73a.msi
c:\windows\Installer\2a54853.msi
c:\windows\Installer\2b5550d.msi
c:\windows\Installer\2beab9.msi
c:\windows\Installer\2c24125.msi
c:\windows\Installer\2c2412b.msi
c:\windows\Installer\2c24131.msi
c:\windows\Installer\2d54de.msi
c:\windows\Installer\2e135e8.msi
c:\windows\Installer\2e135ef.msi
c:\windows\Installer\2ea57c.msi
c:\windows\Installer\2edc1b.msi
c:\windows\Installer\2f0415.msi
c:\windows\Installer\2fc179.msi
c:\windows\Installer\2fc18f.msp
c:\windows\Installer\2fc1a6.msp
c:\windows\Installer\2fc1bd.msp
c:\windows\Installer\2fc1d5.msp
c:\windows\Installer\2fc1ec.msp
c:\windows\Installer\2fc204.msp
c:\windows\Installer\2fc21b.msp
c:\windows\Installer\2fc233.msp
c:\windows\Installer\2fc23a.msi
c:\windows\Installer\2fc250.msp
c:\windows\Installer\2fc267.msp
c:\windows\Installer\2fc284.msp
c:\windows\Installer\304eb7.msp
c:\windows\Installer\3096a14.msi
c:\windows\Installer\316de9.msi
c:\windows\Installer\31c2bc6.msi
c:\windows\Installer\31eb7c3.msp
c:\windows\Installer\31eb7da.msp
c:\windows\Installer\31eb7f0.msp
c:\windows\Installer\32006f2.msp
c:\windows\Installer\325d63.msi
c:\windows\Installer\325d6c.msi
c:\windows\Installer\325d74.msi
c:\windows\Installer\325d7c.msi
c:\windows\Installer\325d84.msi
c:\windows\Installer\325d90.msi
c:\windows\Installer\325d97.msi
c:\windows\Installer\325d9f.msi
c:\windows\Installer\325da7.msi
c:\windows\Installer\325dae.msi
c:\windows\Installer\325db6.msi
c:\windows\Installer\325dbe.msi
c:\windows\Installer\325dc6.msi
c:\windows\Installer\325dce.msi
c:\windows\Installer\325dd6.msi
c:\windows\Installer\325ddd.msi
c:\windows\Installer\325de5.msi
c:\windows\Installer\325ded.msi
c:\windows\Installer\325e1a.msi
c:\windows\Installer\338162.msp
c:\windows\Installer\33817a.msp
c:\windows\Installer\338191.msp
c:\windows\Installer\33a1a7.msi
c:\windows\Installer\33a1a8.msp
c:\windows\Installer\33a1a9.msp
c:\windows\Installer\33a1aa.msp
c:\windows\Installer\33a1ab.msp
c:\windows\Installer\33a1ac.msp
c:\windows\Installer\33a1ad.msp
c:\windows\Installer\33a1ae.msp
c:\windows\Installer\33a1af.msp
c:\windows\Installer\33a1b0.msp
c:\windows\Installer\34d8df9.msp
c:\windows\Installer\35e754.msi
c:\windows\Installer\36f04.msi
c:\windows\Installer\387e24.msi
c:\windows\Installer\38b5c.msi
c:\windows\Installer\38b62.msi
c:\windows\Installer\38b6c.msi
c:\windows\Installer\38b725.msi
c:\windows\Installer\38b78.msi
c:\windows\Installer\38b85.msi
c:\windows\Installer\39ca45.msi
c:\windows\Installer\39ca4e.msi
c:\windows\Installer\39ca56.msi
c:\windows\Installer\39ca5e.msi
c:\windows\Installer\39ca66.msi
c:\windows\Installer\39ca72.msi
c:\windows\Installer\39ca79.msi
c:\windows\Installer\39ca81.msi
c:\windows\Installer\39ca89.msi
c:\windows\Installer\39ca90.msi
c:\windows\Installer\39ca98.msi
c:\windows\Installer\39caa0.msi
c:\windows\Installer\39caa8.msi
c:\windows\Installer\39cab0.msi
c:\windows\Installer\39cab8.msi
c:\windows\Installer\39cabf.msi
c:\windows\Installer\39cac7.msi
c:\windows\Installer\39cacf.msi
c:\windows\Installer\39caff.msi
c:\windows\Installer\39cb1e.msi
c:\windows\Installer\39cb27.msi
c:\windows\Installer\3a6363.msi
c:\windows\Installer\3a785.msi
c:\windows\Installer\3adc2.msi
c:\windows\Installer\3c2fa.msp
c:\windows\Installer\3c311.msp
c:\windows\Installer\3c32c.msp
c:\windows\Installer\3c345.msp
c:\windows\Installer\3dc44f.msi
c:\windows\Installer\3de941.msi
c:\windows\Installer\3e12f0.msi
c:\windows\Installer\3e2aa4.msi
c:\windows\Installer\3e2ac4.msi
c:\windows\Installer\3ee48.msi
c:\windows\Installer\3f75df.msi
c:\windows\Installer\41530c.msi
c:\windows\Installer\415310.msi
c:\windows\Installer\41c60a.msp
c:\windows\Installer\425824.msi
c:\windows\Installer\42d04.msi
c:\windows\Installer\42d0e.msi
c:\windows\Installer\42d33.msi
c:\windows\Installer\430619.msi
c:\windows\Installer\430622.msi
c:\windows\Installer\43062a.msi
c:\windows\Installer\430634.msi
c:\windows\Installer\43063c.msi
c:\windows\Installer\430648.msi
c:\windows\Installer\43064f.msi
c:\windows\Installer\430657.msi
c:\windows\Installer\43065f.msi
c:\windows\Installer\43066c.msi
c:\windows\Installer\43067e.msi
c:\windows\Installer\430687.msi
c:\windows\Installer\43068f.msi
c:\windows\Installer\430697.msi
c:\windows\Installer\43069f.msi
c:\windows\Installer\4306a6.msi
c:\windows\Installer\4306ae.msi
c:\windows\Installer\4306b6.msi
c:\windows\Installer\430d35.msi
c:\windows\Installer\430d44.msp
c:\windows\Installer\455eb5.msi
c:\windows\Installer\458df.msi
c:\windows\Installer\458e9.msi
c:\windows\Installer\461790.msp
c:\windows\Installer\491939.msi
c:\windows\Installer\495ae.msi
c:\windows\Installer\4a2b0.msi
c:\windows\Installer\4adb3a.msi
c:\windows\Installer\4adb9a.msi
c:\windows\Installer\4dad7e.msi
c:\windows\Installer\4dad84.msi
c:\windows\Installer\4dad8e.msi
c:\windows\Installer\4dad9a.msi
c:\windows\Installer\4e1a39.msi
c:\windows\Installer\4ec49c.msi
c:\windows\Installer\51029.msi
c:\windows\Installer\513adf.msi
c:\windows\Installer\513aed.msi
c:\windows\Installer\513af4.msi
c:\windows\Installer\513afa.msi
c:\windows\Installer\513b00.msi
c:\windows\Installer\513b06.msi
c:\windows\Installer\513b0c.msi
c:\windows\Installer\513b12.msi
c:\windows\Installer\513b18.msi
c:\windows\Installer\513b1e.msi
c:\windows\Installer\513b24.msi
c:\windows\Installer\513b2b.msi
c:\windows\Installer\513b32.msi
c:\windows\Installer\513b38.msi
c:\windows\Installer\513b3e.msi
c:\windows\Installer\513b44.msi
c:\windows\Installer\513b4a.msi
c:\windows\Installer\513b50.msi
c:\windows\Installer\513b56.msi
c:\windows\Installer\513b83.msi
c:\windows\Installer\555df6.msi
c:\windows\Installer\555dfd.msp
c:\windows\Installer\5673c.msi
c:\windows\Installer\56745.msi
c:\windows\Installer\5674d.msi
c:\windows\Installer\5675a.msi
c:\windows\Installer\5676c.msi
c:\windows\Installer\56775.msi
c:\windows\Installer\5677d.msi
c:\windows\Installer\56789.msi
c:\windows\Installer\567c2.msi
c:\windows\Installer\567e3.msi
c:\windows\Installer\568e95.msi
c:\windows\Installer\5722ed.msi
c:\windows\Installer\5722f5.msi
c:\windows\Installer\572300.msi
c:\windows\Installer\572308.msi
c:\windows\Installer\572310.msi
c:\windows\Installer\572328.msi
c:\windows\Installer\572330.msi
c:\windows\Installer\572337.msi
c:\windows\Installer\57233f.msi
c:\windows\Installer\572347.msi
c:\windows\Installer\572902.msi
c:\windows\Installer\572911.msp
c:\windows\Installer\583f72.msi
c:\windows\Installer\5854e9.msi
c:\windows\Installer\5854ef.msi
c:\windows\Installer\5854f9.msi
c:\windows\Installer\585505.msi
c:\windows\Installer\58550f.msi
c:\windows\Installer\58ffb.msi
c:\windows\Installer\5a9910.msi
c:\windows\Installer\606be.msi
c:\windows\Installer\6072db.msi
c:\windows\Installer\64954a.msi
c:\windows\Installer\68e2cd.msi
c:\windows\Installer\6ba4f.msi
c:\windows\Installer\6ba58.msi
c:\windows\Installer\6ba60.msi
c:\windows\Installer\6ba6a.msi
c:\windows\Installer\6ba72.msi
c:\windows\Installer\6ba7e.msi
c:\windows\Installer\6ba85.msi
c:\windows\Installer\6ba8d.msi
c:\windows\Installer\6ba95.msi
c:\windows\Installer\6baa2.msi
c:\windows\Installer\6bab4.msi
c:\windows\Installer\6babd.msi
c:\windows\Installer\6bac5.msi
c:\windows\Installer\6bacd.msi
c:\windows\Installer\6bad5.msi
c:\windows\Installer\6badc.msi
c:\windows\Installer\6bae4.msi
c:\windows\Installer\6baec.msi
c:\windows\Installer\6c172.msi
c:\windows\Installer\6c181.msp
c:\windows\Installer\6c39b1.msi
c:\windows\Installer\6c39b4.msi
c:\windows\Installer\6c39e8.msi
c:\windows\Installer\6c61a.msi
c:\windows\Installer\6c620.msi
c:\windows\Installer\6cdc6e.msi
c:\windows\Installer\6cdc79.msi
c:\windows\Installer\6cefb7.msi
c:\windows\Installer\701bc4.msi
c:\windows\Installer\705ef.msp
c:\windows\Installer\7179c.msi
c:\windows\Installer\717a2.msi
c:\windows\Installer\717ac.msi
c:\windows\Installer\717b8.msi
c:\windows\Installer\7238bb.msi
c:\windows\Installer\728121.msi
c:\windows\Installer\728128.msi
c:\windows\Installer\72812e.msi
c:\windows\Installer\728134.msi
c:\windows\Installer\72813a.msi
c:\windows\Installer\728140.msi
c:\windows\Installer\728146.msi
c:\windows\Installer\72814c.msi
c:\windows\Installer\728152.msi
c:\windows\Installer\728158.msi
c:\windows\Installer\72815f.msi
c:\windows\Installer\728166.msi
c:\windows\Installer\72816c.msi
c:\windows\Installer\728172.msi
c:\windows\Installer\728178.msi
c:\windows\Installer\72817e.msi
c:\windows\Installer\728184.msi
c:\windows\Installer\72818a.msi
c:\windows\Installer\728191.msi
c:\windows\Installer\73a0eb.msi
c:\windows\Installer\7426c.msi
c:\windows\Installer\74ba29.msi
c:\windows\Installer\74ba2f.msi
c:\windows\Installer\757a8.msi
c:\windows\Installer\7739d.msp
c:\windows\Installer\773b3.msp
c:\windows\Installer\773c9.msp
c:\windows\Installer\773e1.msp
c:\windows\Installer\773f7.msp
c:\windows\Installer\7740d.msp
c:\windows\Installer\77424.msp
c:\windows\Installer\7743a.msp
c:\windows\Installer\77441.msi
c:\windows\Installer\77458.msp
c:\windows\Installer\7746e.msp
c:\windows\Installer\77484.msp
c:\windows\Installer\77730.msi
c:\windows\Installer\7773c.msi
c:\windows\Installer\77e24.msi
c:\windows\Installer\77f3c.msi
c:\windows\Installer\793c92.msi
c:\windows\Installer\7b1de7.msi
c:\windows\Installer\7e98c6.msi
c:\windows\Installer\7f6c5a.msi
c:\windows\Installer\7f6c66.msi
c:\windows\Installer\7f6c91.msi
c:\windows\Installer\87d15.msi
c:\windows\Installer\87d44.msi
c:\windows\Installer\8b8de.msi
c:\windows\Installer\8d2a6.msi
c:\windows\Installer\8ec9ac.msp
c:\windows\Installer\982424.msp
c:\windows\Installer\9bf8c5.msi
c:\windows\Installer\9d4724.msi
c:\windows\Installer\9f508e.msi
c:\windows\Installer\9f570d.msi
c:\windows\Installer\9fcacf.msi
c:\windows\Installer\9fcad3.msi
c:\windows\Installer\9fcad9.msi
c:\windows\Installer\a0afa5.msi
c:\windows\Installer\a15271.msi
c:\windows\Installer\a15278.msi
c:\windows\Installer\a1527e.msi
c:\windows\Installer\a15284.msi
c:\windows\Installer\a1528a.msi
c:\windows\Installer\a15290.msi
c:\windows\Installer\a15296.msi
c:\windows\Installer\a1529c.msi
c:\windows\Installer\a152a2.msi
c:\windows\Installer\a152a8.msi
c:\windows\Installer\a152af.msi
c:\windows\Installer\a152b6.msi
c:\windows\Installer\a152bc.msi
c:\windows\Installer\a152c2.msi
c:\windows\Installer\a152c8.msi
c:\windows\Installer\a152ce.msi
c:\windows\Installer\a152d4.msi
c:\windows\Installer\a152da.msi
c:\windows\Installer\a152e1.msi
c:\windows\Installer\a2647.msi
c:\windows\Installer\a28f8.msi
c:\windows\Installer\a2901.msi
c:\windows\Installer\a2909.msi
c:\windows\Installer\a2912.msi
c:\windows\Installer\a291a.msi
c:\windows\Installer\a2926.msi
c:\windows\Installer\a292d.msi
c:\windows\Installer\a2935.msi
c:\windows\Installer\a293d.msi
c:\windows\Installer\a294a.msi
c:\windows\Installer\a295c.msi
c:\windows\Installer\a2965.msi
c:\windows\Installer\a296d.msi
c:\windows\Installer\a2975.msi
c:\windows\Installer\a297d.msi
c:\windows\Installer\a2984.msi
c:\windows\Installer\a298c.msi
c:\windows\Installer\a2994.msi
c:\windows\Installer\a3013.msi
c:\windows\Installer\a308ae.msi
c:\windows\Installer\a30f8f.msi
c:\windows\Installer\a76e2.msi
c:\windows\Installer\a9203d.msi
c:\windows\Installer\a972d.msi
c:\windows\Installer\a99c8a.msi
c:\windows\Installer\a99c8d.msp
c:\windows\Installer\acd38.msi
c:\windows\Installer\af32aa.msi
c:\windows\Installer\af32b0.msi
c:\windows\Installer\b1195.msi
c:\windows\Installer\b143a.msi
c:\windows\Installer\b43cf.msi
c:\windows\Installer\b43d5.msi
c:\windows\Installer\b43e0.msi
c:\windows\Installer\b43ea.msi
c:\windows\Installer\b43f4.msi
c:\windows\Installer\b43fa.msi
c:\windows\Installer\b4400.msi
c:\windows\Installer\b4406.msi
c:\windows\Installer\b440c.msi
c:\windows\Installer\b5273.msi
c:\windows\Installer\b6e6b.msp
c:\windows\Installer\b8992b.msi
c:\windows\Installer\b8992f.msi
c:\windows\Installer\ba20b.msi
c:\windows\Installer\ba214.msi
c:\windows\Installer\ba21c.msi
c:\windows\Installer\ba225.msi
c:\windows\Installer\ba22d.msi
c:\windows\Installer\ba239.msi
c:\windows\Installer\ba240.msi
c:\windows\Installer\ba248.msi
c:\windows\Installer\ba250.msi
c:\windows\Installer\ba25d.msi
c:\windows\Installer\ba26f.msi
c:\windows\Installer\ba278.msi
c:\windows\Installer\ba280.msi
c:\windows\Installer\ba288.msi
c:\windows\Installer\ba290.msi
c:\windows\Installer\ba297.msi
c:\windows\Installer\ba29f.msi
c:\windows\Installer\ba2a7.msi
c:\windows\Installer\ba2a8.msi
c:\windows\Installer\be2f0.msi
c:\windows\Installer\c15e66.msi
c:\windows\Installer\c1e900.msi
c:\windows\Installer\c1e905.msi
c:\windows\Installer\cc22bf.msi
c:\windows\Installer\d1c8bb.msi
c:\windows\Installer\d3260.msi
c:\windows\Installer\d48b27.msp
c:\windows\Installer\d48b4e.msp
c:\windows\Installer\d48b66.msp
c:\windows\Installer\d48b7d.msp
c:\windows\Installer\d48cf7.msi
c:\windows\Installer\d70863.msi
c:\windows\Installer\d791ee.msi
c:\windows\Installer\dd6c0.msi
c:\windows\Installer\dde63d.msi
c:\windows\Installer\dde657.msi
c:\windows\Installer\dde660.msi
c:\windows\Installer\de78f7.msi
c:\windows\Installer\df3d4.msi
c:\windows\Installer\e28528.msp
c:\windows\Installer\e2852f.msi
c:\windows\Installer\e67af.msi
c:\windows\Installer\e7abe1.msp
c:\windows\Installer\e85a40.msi
c:\windows\Installer\e8c284.msi
c:\windows\Installer\e9600b.msi
c:\windows\Installer\e9997d.msi
c:\windows\Installer\ea0e.msp
c:\windows\Installer\eb0ce3.msi
c:\windows\Installer\f33f5.msi
c:\windows\Installer\f61b3.msi
c:\windows\Installer\fa45cf.msi
c:\windows\Installer\fceda4.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\SKYNETrrljiwaq.sys
c:\windows\system32\SKYNETanpxmqfw.dll
c:\windows\system32\SKYNETaqtkaatp.dat
c:\windows\system32\SKYNETavpyfvam.dat
c:\windows\system32\SKYNETbwtrpqji.dll
c:\windows\system32\SKYNETcxjndgye.dll
c:\windows\system32\SKYNETdltapuir.dat
c:\windows\system32\SKYNETdpuxfuwb.dat
c:\windows\system32\SKYNETeewivfvi.dll
c:\windows\system32\SKYNETgewyneju.dat
c:\windows\system32\SKYNETijpwmrfv.dat
c:\windows\system32\SKYNETjmxpkilm.dll
c:\windows\system32\SKYNETjtywmnmo.dat
c:\windows\system32\SKYNETlgnjsrqx.dat
c:\windows\system32\SKYNETlyduqbsk.dat
c:\windows\system32\SKYNETmpdrbrnf.dll
c:\windows\system32\SKYNETmqamppen.dll
c:\windows\system32\SKYNETmtlmtotp.dat
c:\windows\system32\SKYNETmuhirqod.dll
c:\windows\system32\SKYNETmxwxtqou.dll
c:\windows\system32\SKYNETolkftitu.dat
c:\windows\system32\SKYNEToqhxvrtq.dll
c:\windows\system32\SKYNETppvhykjo.dat
c:\windows\system32\SKYNETprtetews.dat
c:\windows\system32\SKYNETptgphjev.dat
c:\windows\system32\SKYNETpuyxegex.dll
c:\windows\system32\SKYNETpvgdmetb.dat
c:\windows\system32\SKYNETqoewnsmk.dat
c:\windows\system32\SKYNETqqornctk.dat
c:\windows\system32\SKYNETqvnvebkn.dat
c:\windows\system32\SKYNETrlrxmiqx.dll
c:\windows\system32\SKYNETrthwwyow.dat
c:\windows\system32\SKYNETseewexui.dll
c:\windows\system32\SKYNETsenvstbj.dat
c:\windows\system32\SKYNETtatsidet.dat
c:\windows\system32\SKYNETtkirikkw.dat
c:\windows\system32\SKYNETtmxwhrjk.dat
c:\windows\system32\SKYNETtpjmlmfm.dll
c:\windows\system32\SKYNETtvkkwvvp.dll
c:\windows\system32\SKYNETuypeqrch.dll
c:\windows\system32\SKYNETvcvndeup.dat
c:\windows\system32\SKYNETviuxylqi.dll
c:\windows\system32\SKYNETvkbpcimu.dll
c:\windows\system32\SKYNETwlpisvbv.dll
c:\windows\system32\SKYNETwmhuwvob.dll
c:\windows\system32\SKYNETxnivtvpy.dll
c:\windows\system32\SKYNETxwbuxtiv.dll
c:\windows\system32\SKYNETxweexbdr.dll
c:\windows\system32\SKYNETxynxwbvp.dll
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETiwtuuesk


((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.

2009-07-02 16:10 . 2009-07-02 16:10 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2009-07-01 04:18 . 2009-07-01 04:18 -------- d-----w- c:\program files\Sophos
2009-06-30 19:36 . 2009-06-30 19:36 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-30 18:46 . 2009-06-30 18:46 -------- d-----w- C:\_OTM
2009-06-30 02:34 . 2009-06-30 02:34 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-06-30 02:34 . 2009-06-30 02:34 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-06-30 02:34 . 2009-06-30 02:34 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-06-30 02:34 . 2009-06-30 02:34 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-06-30 02:34 . 2009-06-30 02:34 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-06-30 02:23 . 2009-06-30 02:23 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-06-30 02:23 . 2009-06-30 02:23 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-06-28 16:00 . 2009-06-19 21:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-28 16:00 . 2009-06-19 21:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-28 16:00 . 2009-06-19 21:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-24 19:58 . 2009-06-24 19:58 127872 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\uninstall.exe
2009-06-24 02:38 . 2009-06-24 02:38 657207 ----a-w- c:\windows\Condition Zero Uninstaller.exe
2009-06-24 02:34 . 2009-06-24 02:34 -------- d-----w- C:\Valve
2009-06-20 02:51 . 2009-06-20 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-06-20 02:46 . 2009-06-20 02:46 -------- d-----w- c:\program files\ArcSoft
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-16 06:35 . 2009-06-24 19:58 4183416 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-15 16:50 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:48 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-13 05:12 . 2009-06-14 01:11 -------- d-----w- c:\program files\Call of Duty
2009-06-08 19:07 . 2009-06-08 19:07 232200 ----a-w- c:\windows\system32\PDBoot.exe
2009-06-08 17:00 . 2009-06-08 17:00 71696 ----a-w- c:\windows\system32\drivers\DefragFs.sys
2009-06-07 22:23 . 2009-06-16 07:14 -------- d-----w- c:\program files\Opera 10 Beta
2009-06-05 00:45 . 2009-05-01 21:03 129784 ------w- c:\windows\system32\pxafs.dll
2009-06-05 00:45 . 2009-05-01 21:03 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-06-05 00:45 . 2009-05-01 21:03 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-06-04 16:00 . 2009-06-04 16:00 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.459\English\setup.exe
2009-06-02 23:28 . 2009-06-30 15:33 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-02 23:06 . 2009-07-01 03:30 -------- d-----w- c:\program files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 16:51 . 2007-07-21 21:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-02 15:43 . 2007-08-10 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-30 19:37 . 2008-11-02 15:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 02:21 . 2008-08-04 01:46 -------- d-----w- c:\program files\Kaspersky Lab
2009-06-30 02:15 . 2007-08-26 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-06-29 17:00 . 2007-10-04 01:58 -------- d-----w- c:\program files\ThreatFire
2009-06-28 06:33 . 2008-03-01 22:51 -------- d-----w- c:\program files\SpywareBlaster
2009-06-26 06:07 . 2008-05-17 05:05 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-06-25 01:55 . 2009-05-01 00:32 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-24 02:05 . 2007-12-09 00:27 -------- d-----w- c:\program files\PowerISO
2009-06-23 22:36 . 2008-11-02 23:54 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 19:39 . 2006-12-27 18:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\ArcSoft
2009-06-20 02:55 . 2006-05-07 03:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-15 16:29 . 2007-08-24 02:03 -------- d-----w- c:\program files\CCleaner
2009-06-12 01:36 . 2008-02-10 00:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DivX
2009-06-11 10:06 . 2007-02-09 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-10 17:22 . 2008-12-10 22:21 2719920 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\Creative Software Update 1.02.01__\SoftwareUpdate_PCApp_LA_1_02_01.exe
2009-06-05 00:46 . 2007-11-24 23:25 -------- d-----w- c:\program files\DivX
2009-06-05 00:42 . 2009-03-15 03:38 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 21:22 . 2009-05-31 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2009-06-03 21:22 . 2009-05-31 15:55 -------- d-----w- c:\program files\G Data
2009-06-03 21:22 . 2009-05-31 15:55 -------- d-----w- c:\program files\Common Files\G DATA
2009-06-02 23:17 . 2006-12-23 06:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 06:21 . 2009-06-02 06:21 -------- d-----w- c:\program files\Sierra On-Line
2009-06-02 06:18 . 2009-06-02 06:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DAEMON Tools Lite
2009-06-02 06:17 . 2009-06-02 06:17 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-06-02 06:17 . 2009-03-13 22:12 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-06-02 06:04 . 2009-06-02 06:04 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-02 05:49 . 2009-06-02 05:49 -------- d-----w- c:\program files\WinUHA
2009-06-02 05:24 . 2009-06-02 00:11 1315 ----a-w- c:\documents and settings\HP_Administrator\Application Data\pic18.exe
2009-06-02 05:24 . 2009-06-02 00:11 1315 ----a-w- c:\documents and settings\HP_Administrator\Application Data\pic18.exe
2009-06-02 00:11 . 2007-03-01 04:05 -------- d-----w- c:\program files\Deskshare
2009-05-31 18:39 . 2009-05-31 18:39 68424 ----a-w- c:\windows\system32\drivers\GRD.sys
2009-05-31 15:59 . 2009-05-31 15:59 50632 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2009-05-31 15:58 . 2009-05-31 15:58 51016 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2009-05-29 02:12 . 2007-11-06 04:01 -------- d-----w- c:\program files\Raxco
2009-05-27 01:58 . 2009-05-27 01:58 -------- d-----w- c:\program files\Tukero[X]Team
2009-05-26 02:58 . 2009-05-26 02:58 -------- d-----w- c:\program files\LucasArts
2009-05-25 12:21 . 2009-05-25 12:21 219664 ----a-w- c:\windows\system32\klogon.dll
2009-05-25 12:18 . 2009-05-25 12:18 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-05-24 22:30 . 2009-05-24 22:30 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-05-24 20:21 . 2009-05-24 20:21 -------- d-----w- c:\program files\Medieval Software
2009-05-24 03:22 . 2007-02-11 04:47 -------- d-----w- c:\program files\Microsoft Games
2009-05-22 04:55 . 2009-05-22 04:45 -------- d-----w- c:\program files\FLAC to MP3 Converter
2009-05-22 03:46 . 2009-04-17 22:58 -------- d-----w- c:\program files\Wondershare
2009-05-21 22:05 . 2009-02-08 06:53 -------- d-----w- c:\program files\Real Alternative
2009-05-17 03:59 . 2009-05-17 03:59 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-05-14 00:46 . 2009-05-14 00:46 31760 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-05-09 23:02 . 2009-05-09 23:02 -------- d-----w- c:\program files\Fortressmu
2009-05-08 04:53 . 2006-05-07 03:38 -------- d-----w- c:\program files\Hewlett-Packard
2009-05-07 15:44 . 2004-08-10 04:00 344064 ------w- c:\windows\system32\localspl.dll
2009-05-06 20:13 . 2009-02-05 03:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Creative
2009-05-06 20:11 . 2009-05-06 20:10 -------- d--h--w- c:\documents and settings\All Users\Application Data\{5334905D-AC76-4CD2-ABF3-A37CF6596FBB}
2009-05-06 20:04 . 2008-11-12 23:34 14917208 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\_p class=_MsoNormal_ style=_MARGIN_ 0in 0in 0pt__Creative ZEN X-Fi Starter Pack 1.03.01__\ZENXFI_PCApp_CLI_L4_1_03_01.exe
2009-05-06 20:02 . 2008-11-12 23:33 14781968 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\_p class=_MsoNormal_ style=_MARGIN_ 0in 0in 0pt__Creative ZEN X-Fi Starter Pack 1.03.01__\ZENXFI_PCApp_CLA_A4_1_03_01.exe
2009-05-06 20:00 . 2008-11-12 23:31 16945912 ----a-w- c:\documents and settings\All Users\Application Data\Creative\Software Update\cache\_p class=_MsoNormal_ style=_MARGIN_ 0in 0in 0pt__Creative ZEN X-Fi Starter Pack 1.03.01__\ZENXFI_PCApp_CLE_E6_1_03_01.exe
2009-05-02 18:20 . 2009-03-09 21:00 78280 ----a-w- c:\windows\hpfins05.dat
2009-05-01 21:03 . 2005-08-19 17:00 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-01 03:20 . 2006-05-07 03:30 88904 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 04:31 . 2004-08-10 04:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-29 04:26 . 2009-03-20 01:28 117760 ----a-w- c:\documents and settings\HP_Administrator.COMPUTER.000\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-04-20 21:27 . 2009-03-08 05:17 27612 ----a-w- c:\windows\syscall.dat
2009-04-20 16:59 . 2009-04-20 21:27 2667064 -c--a-w- c:\documents and settings\All Users\Application Data\{A269F35F-278A-4343-BE66-64698EED33E3}\AntiLogger_Setup.exe
2009-04-17 09:58 . 2004-08-10 04:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 05:24 . 2009-04-17 05:24 4096 ----a-w- c:\windows\d3dx.dat
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-04-15 15:11 . 2004-08-10 04:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2008-06-03 05:28 . 2008-06-03 05:28 604 ---ha-w- c:\program files\STLL Notifier
2004-05-07 22:31 . 2006-12-23 06:15 348160 ----a-w- c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 . 2006-12-23 06:15 139264 ----a-r- c:\program files\mozilla firefox\components\SABFF20.DLL
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-08-13 405504]
"Google Update"="c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-29 185896]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-05-25 303376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-01-25 1519616]

c:\documents and settings\HP_Administrator.COMPUTER.000\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-19 576000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-5-6 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Valve\\Condition Zero\\hl.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [6/28/2009 9:00 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [6/28/2009 9:00 AM 46864]
R1 archlp;archlp;c:\windows\system32\drivers\ArcHlp.sys [2/19/2009 2:22 PM 127744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 55024]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [6/28/2009 9:00 AM 33552]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 4:42 AM 64000]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\222.tmp --> c:\windows\system32\222.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2707390959-1954553179-3038260364-1008.job
- c:\documents and settings\HP_Administrator.FAMILYCOMPUTER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:54]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849459599-35217745-1513262520-1008Core.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 18:55]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-849459599-35217745-1513262520-1008UA.job
- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-12 18:55]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
IE: {{CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\ucznkpyu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - http:/www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\HP_Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 09:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\222.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll

- - - - - - - > 'lsass.exe'(1020)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(1744)
c:\program files\ThreatFire\TFWAH.dll
c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\ThreatFire\TFService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-07-02 10:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-02 17:06

Pre-Run: 55,828,303,872 bytes free
Post-Run: 82,516,574,208 bytes free

1049 --- E O F --- 2009-06-28 06:39

#15 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:19 AM

Posted 03 July 2009 - 03:38 AM

Looks like ComboFix got it. Please run OTM again with this script:
:services

MEMSWEEP2



:Commands

[emptytemp]

[Reboot]
After it reboots, post the log, and let me know how your computer is running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users