Thread: [Resolved] Re-directed sites
View Single Post
  #5 (permalink)  
Old 23-06-2009, 08:30 AM
wbutt wbutt is offline
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
re: [Resolved] Re-directed sites
Thank you for the reply Broni

Superantispyware (done with net physically d/ced and in safemode)

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/22/2009 at 10:27 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 01:44:54

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 5790
Registry threats detected : 0
File items scanned : 68228
File threats detected : 1

Adware.Casino Games (Golden Palace Casino)
C:\POKER\TITAN POKER\CASINO.EXE

Anti-Malware log (After a restart w/ net reconnected
Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 5.1.2600 Service Pack 3

6/22/2009 11:19:01 PM
mbam-log-2009-06-22 (23-19-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175159
Time elapsed: 39 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP50\A0018476.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeccbqauthj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETehniskiicu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETenticxvpop.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETetdmlicesb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETexxmbsrbmt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfhsnqvoqok.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgvqrypvgrf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThlapmfmnpf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETikxiuusgkw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETimcrviwwxr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETiqftrossnu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETismixnoyxo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkeqaknbpyl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETknbkbasexn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkpmnsvjuyu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETlmkbspadnr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmbvthbiuro.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmhcxjucriu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmijnnlhbra.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrpthxfyxmx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrpucioufge.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsdaqxklqax.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsfcycgnspm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsibiqrncyc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETspycblxoeb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsyawfwwaax.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtisgkakcin.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtvporienbv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtvvgcwpymu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETulfbabwqwm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETulgrvqgitn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETunkcrynceg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETunpupblscs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuoqpvfukew.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuvpwientse.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnnqwbyuyuw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETntxoilxtcl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnwxrpfpfdc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnxvcpfwkiq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToseqwmqbuw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpeqwbuypeq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpiypmucrvb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpqxdcpjxyr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpwentritpb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpyxuidivra.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqdckxewolq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqomtnuxtft.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqrrycsdekk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqsttbqhxnc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqvrvjulpcw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrhhsxunldh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuxpywbrlkh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvcdibchqqw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvpofteixry.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvsttrxtueo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvxripfvrse.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxbrvodhprl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxeibcomtfg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxgbxmmumdk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxgqdecvuey.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxmbpfuyasp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETyikbwwnymb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETymdxwirbvf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETysexxxeviw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETebyyctstno.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmpuyxuwqen.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrnyrblgdoi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuxcqgcilij.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETchtxtnpqvt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcxqpwiuevh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdduyffqyjb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdmxtpeqdcc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdpgqobwiuc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETxewqvpap.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Gmer log (after restart)
GMER 1.0.15.14972 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-23 00:20:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT B8725356 ZwCreateKey
SSDT B872534C ZwCreateThread
SSDT B872535B ZwDeleteKey
SSDT B8725365 ZwDeleteValueKey
SSDT spdw.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT spdw.sys ZwEnumerateValueKey [0xB7EC6032]
SSDT B872536A ZwLoadKey
SSDT spdw.sys ZwOpenKey [0xB7EA70C0]
SSDT B8725338 ZwOpenProcess
SSDT B872533D ZwOpenThread
SSDT spdw.sys ZwQueryKey [0xB7EC610A]
SSDT spdw.sys ZwQueryValueKey [0xB7EC5F8A]
SSDT B8725374 ZwReplaceKey
SSDT B872536F ZwRestoreKey
SSDT B8725360 ZwSetValueKey
SSDT B8725347 ZwTerminateProcess

INT 0x63 ? 8A721BF8
INT 0x63 ? 8A721BF8
INT 0x63 ? 8A792BF8
INT 0x63 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x82 ? 8A721BF8
INT 0xA4 ? 8A792BF8

---- Kernel code sections - GMER 1.0.15 ----

? nbnzbpl.sys The system cannot find the file specified. !
? spdw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B70D18AC 5 Bytes JMP 8A7921D8
.text anbcqvdt.SYS B6EB9386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text anbcqvdt.SYS B6EB93AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text anbcqvdt.SYS B6EB93C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text anbcqvdt.SYS B6EB93C9 1 Byte [30]
.text anbcqvdt.SYS B6EB93C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA8042] spdw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA813E] spdw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA80C0] spdw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA8800] spdw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA86D6] spdw.sys
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7901F8

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 888961F8
Device \Driver\sptd \Device\3232568098 spdw.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8A21A500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7221F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7221F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7221F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7221F8
Device \Driver\usbehci \Device\USBPDO-1 8A1FB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7931F8
Device \Driver\PCI_PNP0598 \Device\00000058 spdw.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7931F8
Device \Driver\Cdrom \Device\CdRom0 8A1E01F8
Device \Driver\Cdrom \Device\CdRom1 8A1E01F8
Device \Driver\usbstor \Device\00000082 8A192500
Device \Driver\NetBT \Device\NetBt_Wins_Export 888B31F8
Device \Driver\NetBT \Device\NetbiosSmb 888B31F8
Device \Driver\usbstor \Device\00000087 8A192500
Device \Driver\usbstor \Device\00000088 8A192500
Device \Driver\usbstor \Device\00000089 8A192500
Device \Driver\usbohci \Device\USBFDO-0 8A21A500
Device \Driver\usbehci \Device\USBFDO-1 8A1FB1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8889B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5D270E64-7EEB-4625-9DE6-AB9347DC6650} 888B31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8889B1F8
Device \Driver\Ftdisk \Device\FtControl 8A7931F8
Device \Driver\usbstor \Device\0000008a 8A192500
Device \Driver\anbcqvdt \Device\Scsi\anbcqvdt1Port6Path0Target0Lun0 8A12F1F8
Device \Driver\anbcqvdt \Device\Scsi\anbcqvdt1 8A12F1F8
Device \FileSystem\Fastfat \Fat 888961F8

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89FD1500

---- Services - GMER 1.0.15 ----

Service system32\drivers\SKYNETpdmercfq.sys (*** hidden *** ) [DISABLED] SKYNETwysndllt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@imagepath \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxewqvpap.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETlog.dat \systemroot\system32\SKYNETuirixoom.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETjyxgilas.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNET.dat \systemroot\system32\SKYNETrsonuktu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8B 0xAA 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x2B 0x8D 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x04 0x7D 0x91 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ imagepath \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETcmd.dll \systemroot\system32\SKYNETxewqvpap.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETlog.dat \systemroot\system32\SKYNETuirixoom.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETwsp.dll \systemroot\system32\SKYNETjyxgilas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNET.dat \systemroot\system32\SKYNETrsonuktu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8B 0xAA 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x2B 0x8D 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x04 0x7D 0x91 0x8B ...

---- EOF - GMER 1.0.15 ----

HijackThis log (after restart)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:02 AM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8009 bytes

Thank you for your time
Reply With Quote