Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » [Resolved] Re-directed sites

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

[Resolved] Re-directed sites

Reply
Page 1 of 2 1 2
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 21-06-2009, 06:52 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
[Resolved] Re-directed sites
Issue:
Noticed Google searches were being redirected, did some research and decided to get help to prevent formatting, please advise me.

HP Pavillion AMD Athlon(tm) 64x2 Dual Core Process 4200+
Windows XP
Firefox
Aviria

Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:53 PM, on 6/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8081 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 21-06-2009, 07:45 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,195
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Re-directed sites
Download GooredFix and save it to your Desktop.
Double-click Goored.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
Note: Do not run Option #2 yet.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 22-06-2009, 03:04 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
re: [Resolved] Re-directed sites
Thank you for the reply Broni

Goored Log

GooredFix v1.92 by jpshortstuff
Log created at 19:02 on 21/06/2009 running Option #1 (HP_Administrator)
Firefox version 3.0.11 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.11\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 22-06-2009, 06:45 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,195
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Re-directed sites
Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.14972 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4.
Post fresh HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 23-06-2009, 08:30 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
re: [Resolved] Re-directed sites
Thank you for the reply Broni

Superantispyware (done with net physically d/ced and in safemode)

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 06/22/2009 at 10:27 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 01:44:54

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 5790
Registry threats detected : 0
File items scanned : 68228
File threats detected : 1

Adware.Casino Games (Golden Palace Casino)
C:\POKER\TITAN POKER\CASINO.EXE

Anti-Malware log (After a restart w/ net reconnected
Malwarebytes' Anti-Malware 1.38
Database version: 2317
Windows 5.1.2600 Service Pack 3

6/22/2009 11:19:01 PM
mbam-log-2009-06-22 (23-19-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 175159
Time elapsed: 39 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP50\A0018476.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETeccbqauthj.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETehniskiicu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETenticxvpop.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETetdmlicesb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETexxmbsrbmt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETfhsnqvoqok.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETgvqrypvgrf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEThlapmfmnpf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETikxiuusgkw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETimcrviwwxr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETiqftrossnu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETismixnoyxo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkeqaknbpyl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETknbkbasexn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETkpmnsvjuyu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETlmkbspadnr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmbvthbiuro.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmhcxjucriu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmijnnlhbra.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrpthxfyxmx.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrpucioufge.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsdaqxklqax.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsfcycgnspm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsibiqrncyc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETspycblxoeb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETsyawfwwaax.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtisgkakcin.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtvporienbv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETtvvgcwpymu.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETulfbabwqwm.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETulgrvqgitn.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETunkcrynceg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETunpupblscs.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuoqpvfukew.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuvpwientse.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnnqwbyuyuw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETntxoilxtcl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnwxrpfpfdc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETnxvcpfwkiq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNEToseqwmqbuw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpeqwbuypeq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpiypmucrvb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpqxdcpjxyr.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpwentritpb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETpyxuidivra.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqdckxewolq.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqomtnuxtft.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqrrycsdekk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqsttbqhxnc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETqvrvjulpcw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrhhsxunldh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuxpywbrlkh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvcdibchqqw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvpofteixry.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvsttrxtueo.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETvxripfvrse.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxbrvodhprl.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxeibcomtfg.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxgbxmmumdk.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxgqdecvuey.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETxmbpfuyasp.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETyikbwwnymb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETymdxwirbvf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETysexxxeviw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETebyyctstno.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETmpuyxuwqen.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETrnyrblgdoi.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETuxcqgcilij.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETchtxtnpqvt.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETcxqpwiuevh.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdduyffqyjb.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdmxtpeqdcc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\SKYNETdpgqobwiuc.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETxewqvpap.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

Gmer log (after restart)
GMER 1.0.15.14972 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-23 00:20:15
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT B8725356 ZwCreateKey
SSDT B872534C ZwCreateThread
SSDT B872535B ZwDeleteKey
SSDT B8725365 ZwDeleteValueKey
SSDT spdw.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT spdw.sys ZwEnumerateValueKey [0xB7EC6032]
SSDT B872536A ZwLoadKey
SSDT spdw.sys ZwOpenKey [0xB7EA70C0]
SSDT B8725338 ZwOpenProcess
SSDT B872533D ZwOpenThread
SSDT spdw.sys ZwQueryKey [0xB7EC610A]
SSDT spdw.sys ZwQueryValueKey [0xB7EC5F8A]
SSDT B8725374 ZwReplaceKey
SSDT B872536F ZwRestoreKey
SSDT B8725360 ZwSetValueKey
SSDT B8725347 ZwTerminateProcess

INT 0x63 ? 8A721BF8
INT 0x63 ? 8A721BF8
INT 0x63 ? 8A792BF8
INT 0x63 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x73 ? 8A721BF8
INT 0x82 ? 8A721BF8
INT 0xA4 ? 8A792BF8

---- Kernel code sections - GMER 1.0.15 ----

? nbnzbpl.sys The system cannot find the file specified. !
? spdw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B70D18AC 5 Bytes JMP 8A7921D8
.text anbcqvdt.SYS B6EB9386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text anbcqvdt.SYS B6EB93AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text anbcqvdt.SYS B6EB93C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text anbcqvdt.SYS B6EB93C9 1 Byte [30]
.text anbcqvdt.SYS B6EB93C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA8042] spdw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA813E] spdw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA80C0] spdw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA8800] spdw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA86D6] spdw.sys
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfRaiseIrql] 00001CA9
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!HalTranslateBusAddress] 8186C636
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\anbcqvdt.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7901F8

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \FatCdrom 888961F8
Device \Driver\sptd \Device\3232568098 spdw.sys

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8A21A500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7221F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7221F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7221F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7221F8
Device \Driver\usbehci \Device\USBPDO-1 8A1FB1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7931F8
Device \Driver\PCI_PNP0598 \Device\00000058 spdw.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7931F8
Device \Driver\Cdrom \Device\CdRom0 8A1E01F8
Device \Driver\Cdrom \Device\CdRom1 8A1E01F8
Device \Driver\usbstor \Device\00000082 8A192500
Device \Driver\NetBT \Device\NetBt_Wins_Export 888B31F8
Device \Driver\NetBT \Device\NetbiosSmb 888B31F8
Device \Driver\usbstor \Device\00000087 8A192500
Device \Driver\usbstor \Device\00000088 8A192500
Device \Driver\usbstor \Device\00000089 8A192500
Device \Driver\usbohci \Device\USBFDO-0 8A21A500
Device \Driver\usbehci \Device\USBFDO-1 8A1FB1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8889B1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5D270E64-7EEB-4625-9DE6-AB9347DC6650} 888B31F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8889B1F8
Device \Driver\Ftdisk \Device\FtControl 8A7931F8
Device \Driver\usbstor \Device\0000008a 8A192500
Device \Driver\anbcqvdt \Device\Scsi\anbcqvdt1Port6Path0Target0Lun0 8A12F1F8
Device \Driver\anbcqvdt \Device\Scsi\anbcqvdt1 8A12F1F8
Device \FileSystem\Fastfat \Fat 888961F8

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 89FD1500

---- Services - GMER 1.0.15 ----

Service system32\drivers\SKYNETpdmercfq.sys (*** hidden *** ) [DISABLED] SKYNETwysndllt <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt@imagepath \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETcmd.dll \systemroot\system32\SKYNETxewqvpap.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETlog.dat \systemroot\system32\SKYNETuirixoom.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNETwsp.dll \systemroot\system32\SKYNETjyxgilas.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwysnd llt\modules@SKYNET.dat \systemroot\system32\SKYNETrsonuktu.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8B 0xAA 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x2B 0x8D 0x85 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14 919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x04 0x7D 0x91 0x8B ...
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt@ imagepath \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\delete
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\injector
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ main\tasks
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpdmercfq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETcmd.dll \systemroot\system32\SKYNETxewqvpap.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETlog.dat \systemroot\system32\SKYNETuirixoom.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNETwsp.dll \systemroot\system32\SKYNETjyxgilas.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETwysndllt\ modules@SKYNET.dat \systemroot\system32\SKYNETrsonuktu.dat
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x8B 0xAA 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x2B 0x8D 0x85 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919E A49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x04 0x7D 0x91 0x8B ...

---- EOF - GMER 1.0.15 ----

HijackThis log (after restart)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:02 AM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = AOL.com - Welcome to AOL
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8009 bytes

Thank you for your time
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 23-06-2009, 04:27 PM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,195
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Re-directed sites
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 24-06-2009, 12:04 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
re: [Resolved] Re-directed sites
Thank you for the reply Broni

I noticed this is the last few steps others have taken simular to my situation. I hope i too get the Mr.Clean reply image


combofixlog

ComboFix 09-06-22.0E - HP_Administrator 06/23/2009 15:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1626 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver
c:\windows\kb913800.exe
c:\windows\system32\drivers\ctoss2k.sys
c:\windows\system32\SKYNETuirixoom.dat
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_driver
-------\Legacy_driverdrv
-------\Service_SKYNETwysndllt
-------\Legacy_ossrv
-------\Service_ossrv


((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-06-23 )))))))))))))))))))))))))))))))
.

2009-06-23 02:33 . 2009-06-23 02:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\teamspeak2
2009-06-20 22:52 . 2009-06-23 07:25 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-20 22:51 . 2009-06-20 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-20 22:51 . 2009-06-20 22:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-20 22:51 . 2009-06-20 22:51 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com
2009-06-20 08:06 . 2009-06-20 08:06 -------- d-----w- c:\program files\Trend Micro
2009-06-20 07:47 . 2009-06-20 22:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 08:57 . 2009-06-19 08:57 -------- d-----w- c:\program files\CCleaner
2009-06-19 07:54 . 2009-06-19 07:54 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-06-19 07:51 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 07:51 . 2009-06-19 07:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 07:51 . 2009-06-19 07:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 07:51 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 07:14 . 2009-06-19 07:54 -------- d-----w- c:\program files\Lavasoft
2009-06-19 07:14 . 2009-06-19 07:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-19 07:07 . 2009-06-20 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 12:12 . 2009-06-11 12:12 -------- d--h--w- c:\windows\PIF
2009-06-06 04:11 . 2008-12-05 04:42 815104 ----a-w- c:\windows\system32\xvidcore.dll
2009-06-06 04:11 . 2009-06-06 04:11 -------- d-----w- c:\program files\Xvid
2009-06-06 04:11 . 2008-12-05 04:46 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-06-03 01:12 . 2009-06-22 11:45 25 ----a-w- c:\windows\popcinfot.dat
2009-06-02 22:51 . 2009-06-02 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-06-01 12:04 . 2009-06-01 12:04 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Help
2009-06-01 05:36 . 2009-06-01 05:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPQ
2009-05-31 22:42 . 2009-05-31 22:42 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2009-05-30 11:03 . 2009-05-30 11:03 -------- d-----w- C:\Poker
2009-05-28 02:45 . 2009-05-28 02:45 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\TouchStoneSoftware
2009-05-26 23:11 . 2009-05-28 04:55 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ventrilo
2009-05-26 23:11 . 2009-05-26 23:11 -------- d-----w- c:\program files\Ventrilo
2009-05-26 23:10 . 2009-06-20 22:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-23 02:50 . 2009-05-18 06:02 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\uTorrent
2009-06-18 06:19 . 2009-05-18 06:31 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DAEMON Tools Lite
2009-06-16 01:45 . 2009-05-18 07:43 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-06-16 01:45 . 2009-05-18 07:43 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-06-09 23:23 . 2006-05-24 03:29 84976 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 03:48 . 2009-05-18 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-06 04:09 . 2009-05-18 06:22 -------- d-----w- c:\program files\DivX
2009-06-06 04:09 . 2009-05-18 06:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-01 12:04 . 2009-05-18 06:27 -------- d-----w- c:\program files\CDisplay
2009-05-22 02:41 . 2009-05-22 02:41 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\TeamViewer
2009-05-19 23:52 . 2009-05-18 02:33 8 ----a-w- c:\windows\system32\nvModes.dat
2009-05-18 22:37 . 2009-05-18 06:54 -------- d-----w- c:\program files\Ultra Mobile 3GP Video Converter
2009-05-18 21:59 . 2009-05-18 06:34 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-18 11:50 . 2009-05-18 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-05-18 10:35 . 2009-05-18 10:35 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\vlc
2009-05-18 08:22 . 2006-05-24 03:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-18 08:22 . 2006-05-24 03:32 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-18 07:43 . 2009-05-18 07:43 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-05-18 07:43 . 2009-05-18 07:43 81920 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-05-18 07:43 . 2009-05-18 07:43 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-05-18 07:43 . 2009-05-18 07:43 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-05-18 07:19 . 2009-05-18 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-05-18 07:19 . 2009-05-18 07:19 -------- d-----w- c:\program files\Pando Networks
2009-05-18 07:15 . 2009-05-18 07:15 -------- d-----w- c:\program files\DivXLand
2009-05-18 07:10 . 2009-05-18 07:10 -------- d-----w- c:\program files\VirtualDub
2009-05-18 07:05 . 2009-05-18 07:05 -------- d-----w- c:\program files\VideoLAN
2009-05-18 06:53 . 2009-05-18 06:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\GetRightToGo
2009-05-18 06:43 . 2009-05-18 06:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Realtime Soft
2009-05-18 06:43 . 2009-05-18 06:43 -------- d-----w- c:\program files\Common Files\Realtime Soft
2009-05-18 06:43 . 2009-05-18 06:43 -------- d-----w- c:\program files\UltraMon
2009-05-18 06:43 . 2009-05-18 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Realtime Soft
2009-05-18 06:37 . 2009-05-18 06:37 -------- d-----w- c:\program files\Microsoft
2009-05-18 06:37 . 2009-05-18 06:37 -------- d-----w- c:\program files\Windows Live
2009-05-18 06:37 . 2009-05-18 06:37 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-05-18 06:37 . 2009-05-18 06:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Media Player Classic
2009-05-18 06:36 . 2009-05-18 06:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DivX
2009-05-18 06:36 . 2009-05-18 06:36 -------- d-----w- c:\program files\Common Files\Windows Live
2009-05-18 06:34 . 2009-05-18 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-18 06:34 . 2009-05-18 06:34 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-18 06:31 . 2009-05-18 06:31 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-18 06:20 . 2009-05-18 06:20 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-18 06:03 . 2009-05-18 06:03 -------- d-----w- c:\program files\uTorrent
2009-05-18 03:40 . 2009-05-18 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-05-18 03:40 . 2009-05-18 03:40 -------- d-----w- c:\program files\Logitech
2009-05-18 03:28 . 2009-05-18 03:28 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Ahead
2009-05-18 03:22 . 2009-05-18 03:19 -------- d-----w- c:\program files\Ahead
2009-05-18 03:19 . 2009-05-18 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-05-18 03:19 . 2009-05-18 03:19 -------- d-----w- c:\program files\Common Files\Ahead
2009-05-18 03:00 . 2009-05-18 03:00 -------- d-----w- c:\program files\Common Files\L&H
2009-05-18 03:00 . 2009-05-18 03:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-05-18 03:00 . 2009-05-18 02:59 -------- d-----w- c:\program files\Microsoft Office 2003
2009-05-18 02:55 . 2009-05-18 02:55 -------- d-----w- c:\program files\Microsoft Works
2009-05-18 02:55 . 2009-05-18 02:55 -------- d-----w- c:\program files\MSBuild
2009-05-18 02:55 . 2009-05-18 02:52 -------- d-----w- c:\program files\Microsoft Office 2007
2009-05-18 02:54 . 2009-05-18 02:54 -------- d-----w- c:\program files\Microsoft.NET
2009-05-18 02:41 . 2009-05-18 02:41 -------- d-----w- c:\program files\Avira
2009-05-18 02:41 . 2009-05-18 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-18 02:38 . 2009-05-18 02:38 0 ----a-w- c:\windows\nsreg.dat
2009-05-18 02:33 . 2009-05-18 02:33 -------- d-----w- c:\program files\Common Files\logishrd
2009-05-18 02:32 . 2009-05-18 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-18 02:30 . 2009-05-18 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-05-18 02:30 . 2009-05-18 02:30 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-18 02:30 . 2009-05-18 02:30 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-05-18 02:30 . 2009-05-18 02:30 -------- d-----w- c:\program files\OpenAL
2009-05-18 02:29 . 2009-05-18 02:29 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2009-05-18 02:29 . 2009-05-18 02:29 -------- d-----w- c:\program files\Creative
2009-05-18 02:11 . 2005-08-31 04:01 92947 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-18 02:11 . 2009-05-18 02:11 45056 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSet up.exe
2009-05-18 02:11 . 2009-05-18 02:11 61440 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-05-18 02:11 . 2009-05-18 02:11 44032 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-05-18 02:11 . 2009-05-18 02:11 40960 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-05-18 02:11 . 2009-05-18 02:11 341048 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetect ion3.dll
2009-05-18 02:11 . 2009-05-18 02:11 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-05-18 02:11 . 2009-05-18 02:11 32768 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-05-18 02:11 . 2009-05-18 02:11 217088 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-05-18 02:11 . 2009-05-18 02:11 163840 ----a-w- c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dl l
2009-05-18 01:18 . 2006-05-24 03:30 -------- d-----w- c:\program files\Common Files\Real
2009-05-18 01:09 . 2006-05-24 04:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-18 01:09 . 2006-05-24 04:00 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-05-18 00:34 . 2009-05-18 00:34 1839 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EX276AA-ABA a1540n_YC_0Pavi_QCNH627_E63NAemMPA2_48_INODUSM_SAS USTek Computer INC._V1.03_B3.04_T060614_WXP2_L409_M2047_J250_7AMD _8Athlon 64 X2 Dual Core_92.2_#061013_N_Z_G_OTSSTcorp CD DVDW TS-H652L_D.MRK
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-05-01 07:31 . 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 07:31 . 2009-05-01 07:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 07:31 . 2009-05-01 07:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 07:31 . 2009-05-01 07:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 07:31 . 2009-05-01 07:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 07:31 . 2009-05-01 07:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 07:31 . 2009-05-01 07:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 05:02 . 2009-05-18 02:25 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-01 05:02 . 2009-05-01 05:02 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 05:02 . 2009-05-01 05:02 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 05:02 . 2009-05-01 05:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 05:02 . 2009-05-01 05:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 05:02 . 2009-05-01 05:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 05:02 . 2009-05-01 05:02 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2009-05-04 354312]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2009-05-04 1572872]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2009-05-04 2817544]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"58162:TCP"= 58162:TCP:Pando Media Booster
"58162:UDP"= 58162:UDP:Pando Media Booster

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/17/2009 7:41 PM 108289]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\ drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/17/2009 7:29 PM 79360]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\driver s\CT20XUT.sys [10/8/2008 1:21 AM 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XU T.sys [10/8/2008 1:21 AM 171032]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\driv ers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEX FIFX.sys [10/8/2008 1:21 AM 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\driver s\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIU T.sys [10/8/2008 1:21 AM 72728]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION &pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILI ON&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-06-23 15:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1480)
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDMedia.exe
c:\program files\Logitech\GamePanel Software\Applets\LCDRSS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
************************************************** ************************
.
Completion time: 2009-06-23 16:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-23 23:00

Pre-Run: 29,097,234,432 bytes free
Post-Run: 29,035,659,264 bytes free

276

Hijackthislog
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:47 PM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDRSS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min /nosplash
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1242609946937
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6995 bytes
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 24-06-2009, 12:21 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,195
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Re-directed sites
Quote:
I hope i too get the Mr.Clean reply image
We'll surely get there

How is redirection issue?

================================================== ===============

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u"
Restart computer.

================================================== =============

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

================================================== =============

Open Windows Explorer, and delete:
- Symantec folder from c:\documents and settings\All Users\Application Data\
- Symantec Shared folder from c:\program files\Common Files\

================================================== ============

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
- O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)
- O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe (file missing)


4. You may also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
- O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
- O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
- O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
- O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
- O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
- O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 24-06-2009, 12:24 AM
Newbie
D-A-L Newbie
  
Join Date: Jun 2009
Posts: 18
wbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the roughwbutt is a jewel in the rough
re: [Resolved] Re-directed sites
(edit)
I didnt see your fresh reply, ill do your suggested instructions first. As of now most of my searches dont seem to be infected at all. But there were days where it faded and returned, ill see how it is after i get those things listed above done. Thank you

Just found out i lost my sound, is this normal for combo fix. If so any clue how i can restore it?
When i go into my control panel - sounds and audio device it says i have no audio device and that little sound symbol in the bottom right is gone..
Last edited by wbutt; 24-06-2009 at 12:31 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 24-06-2009, 12:34 AM
broni's Avatar
Senior Member
  
Join Date: Nov 2004
Posts: 2,195
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved] Re-directed sites
No, it's not normal, but sometimes malware removal process brings some side effects.
It's most likely just a matter of reinstalling sound driver, but let's finish cleaning process first.
Perform all steps from my previous reply, first.
__________________
My Home Page
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Resolved] pop sites idr Spyware, Adware, Viruses and HijackThis Logs 19 28-07-2009 06:16 AM
[Resolved] Re-directed sites - Can't System Restore - Can't Install Digidan Spyware, Adware, Viruses and HijackThis Logs 19 24-06-2009 03:55 AM
Search re-directed and wrong page shows maryjane Windows XP Help 1 04-03-2008 04:59 PM
Canīt access 'https://' sites - Have Hijackthis log(RESOLVED) FMMMetal Spyware, Adware, Viruses and HijackThis Logs 5 01-06-2006 09:46 PM
Re-directed to 194.74.65.98 Caroline Spyware, Adware, Viruses and HijackThis Logs 3 18-03-2005 08:08 PM


All times are GMT +1. The time now is 09:39 AM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav