• WELCOME
Welcome to the Myantispyware - free site offering help and assistance on spyware, malware and adware removal. As a guest you can only browse and view the various topics in the forums, but can not create a new topic and reply to an existing topic. If you are seeking help, you will need to be a logged into the forums with a registered account. Registering is free.
Click here to Create a free account and read How to use Spyware Removal Forum

Google redirect problem; Malware/infected registry value

This forum is for removing Malware, Spyware, Adware. Post your HijackThis, DDS, RSIT, Combofix logs here.

Moderator: Moderators

Google redirect problem; Malware/infected registry value

Postby sule » Sun May 02, 2010 10:38 pm

My google search links keep getting redirected to random sites no matter what browser I am using, be it IE 8, Opera and Firefox. I have the updated version of each of these browsers and still the browser gets hijacked. Also, tabs will open themselves taking me to a random site.
I have run Malwarebytes Anti Malware many times and it finds the same problem and removes it but the next time I start my computer it will be there again, the file is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace)

Below are my MBAM, Hijackthis, and Bitdefender Online scanner logs:
Malwarebytes' Anti-Malware 1.33
Database version: 1656
Windows 5.1.2600 Service Pack 2

02/05/2010 13:07:04
mbam-log-2010-05-02 (13-07-04).txt

Scan type: Quick Scan
Objects scanned: 72393
Time elapsed: 28 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




HIJACKTHIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:57, on 02/05/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\AOL 9.0a\aoltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\DOCUME~1\Suliman\MYDOCU~1\Suliman\Biology\AIMWDI~1.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nonep] C:\WINDOWS\TEMP\255.tmp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [sysmon64x.exe] C:\WINDOWS\TEMP\sysmon64x.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro.cce.hp.com/ChatEntry/dow ... ysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (BitDefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117w.bay117.mail.live.com/mail ... nPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/Fac ... oader2.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O20 - AppInit_DLLs: nbmmyu.dll ihihhx.dll zahcku.dll lavwdy.dll ulpwzr.dll uasonq.dll hqopyc.dll bjihva.dll qhzztu.dll yvixog.dll ygfywo.dll omgvax.dll wykfib.dll
O20 - Winlogon Notify: ssqQkiHB - ssqQkiHB.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Lavasoft Ad-Aware Service aawserviceSymWSC (aawserviceSymWSC) - Unknown owner - C:\WINDOWS\system32\actmoviem.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ClipBook ClipSrv RemoteAssist (ClipSrv RemoteAssist) - Unknown owner - C:\WINDOWS\system32\alrsvck.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Telephony TapiSrv ACS (TapiSrv ACS) - Unknown owner - C:\WINDOWS\system32\AdobePDFs.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WAN Miniport (ATW) Service WANMiniportService ACS (WANMiniportService ACS) - Unknown owner - C:\WINDOWS\system32\ac3filtera.exe (file missing)

--
End of file - 12230 bytes


BITDEFENDER ONLINE SCANNER
QuickScan Beta 32-bit v0.9.9.19
-------------------------------
Scan date: Sun May 02 12:42:17 2010
Machine ID: 67AABFD

C:\WINDOWS\PRAGMAmuetetbvpu\PRAGMAc.dll - hidden file!
C:\WINDOWS\system32\pragmabbr.dll - hidden file!
C:\WINDOWS\system32\pragmaserf.dll - hidden file!


Found 3 infected files!
-----------------------

C:\WINDOWS\PRAGMAmuetetbvpu\PRAGMAc.dll --> Gen:Heur.Krypt.9
--> Process svchost.exe (856)

C:\WINDOWS\system32\pragmaserf.dll --> Gen:Heur.Krypt.9
--> Process Explorer.EXE (1832)

C:\WINDOWS\system32\pragmabbr.dll --> Gen:Heur.Krypt.9
--> Process opera.exe (2872)



Processes
---------
<unsigned> AcroTray - Adobe Acrobat Distiller help 2420 C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
<unsigned> America Online 1608 C:\WINDOWS\wanmpsvc.exe
<unsigned> Logitech Desktop Messenger 216 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> Quick Launch Buttons 1648 C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
<unsigned> SafeCast Windows NT 1588 C:\WINDOWS\system32\drivers\CDAC11BA.EXE
<unsigned> SetPoint Files 236 C:\Program Files\Logitech\SetPoint\KEM.exe
<unsigned> SoundMAX service agent 1128 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
<unsigned> Viewpoint Manager 1812 C:\Program Files\Viewpoint\Common\ViewpointService.exe

<verified> Ad-Aware Service 1164 C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
<verified> Agere SoftModem Messaging Applet 1344 C:\WINDOWS\AGRSMMSG.exe
<verified> Alps Pointing-device Driver 1248 C:\Program Files\Apoint2K\Apoint.exe
<verified> Alps Pointing-device Driver for Windows 380 C:\Program Files\Apoint2K\Apntex.exe
<verified> America Online 368 C:\Program Files\AOL 9.0a\aoltray.exe
<verified> AOL Connectivity Service 1452 C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
<verified> Apple Mobile Device Service 1488 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
<verified> Bonjour 1536 C:\Program Files\Bonjour\mDNSResponder.exe
<verified> Delivery Manager 2792 C:\Program Files\Kontiki\KHost.exe
<verified> iTunes 1360 C:\Program Files\iPod\bin\iPodService.exe
<verified> iTunes 3728 C:\Program Files\iTunes\iTunesHelper.exe
<verified> Java(TM) Platform SE 6 U20 1824 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Java(TM) Platform SE Auto Updater 2 0 1776 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> KService.exe 1952 C:\Program Files\Kontiki\KService.exe
<verified> Malwarebytes' Anti-Malware 3312 C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
<verified> Microsoft® Visual Studio .NET 308 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
<verified> Microsoft® Windows® Operating System 1832 C:\WINDOWS\Explorer.EXE
<verified> Microsoft® Windows® Operating System 3080 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 468 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 1972 C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 3420 C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 572 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 560 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 416 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1292 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 1400 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1040 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1688 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 948 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 856 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 788 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 748 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 736 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1300 C:\WINDOWS\system32\wbem\wmiprvse.exe
<verified> Microsoft® Windows® Operating System 508 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 2328 C:\WINDOWS\system32\wuauclt.exe
<verified> Microsoft® Windows® Operating System 3920 C:\WINDOWS\system32\wuauclt.exe
<verified> Norton Security Center 2960 C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
<verified> Norton Security Center 2096 C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
<verified> NVIDIA Driver Helper Service, Version 4 684 C:\WINDOWS\system32\nvsvc32.exe
<verified> Opera Internet Browser 2872 C:\Program Files\Opera\opera.exe
<verified> Productivity Software Common Files 932 C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
<verified> SupportSoft sprtcmd 3632 C:\Program Files\O2\bin\sprtcmd.exe
<verified> SupportSoft sprtsvc 1420 C:\Program Files\O2\bin\sprtsvc.exe
<verified> Symantec Security Technologies 436 C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
<verified> Symantec Security Technologies 3456 C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
<verified> Windows Live Messenger 2016 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified> Windows® Internet Explorer 4216 C:\Program Files\Internet Explorer\iexplore.exe
<verified> Windows® Internet Explorer 4884 C:\Program Files\Internet Explorer\iexplore.exe
<verified> Yahoo! Messenger 2684 C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe


Network activity
----------------
Process opera.exe (2872) connected on port 80 (HTTP) --> ww-in-f156.1e100.net
Process opera.exe (2872) connected on port 80 (HTTP) --> sitecheck2.opera.com
Process opera.exe (2872) connected on port 80 (HTTP) --> ww-in-f101.1e100.net
Process opera.exe (2872) connected on port 80 (HTTP) --> ww-in-f156.1e100.net
Process opera.exe (2872) connected on port 80 (HTTP) --> gv-in-f147.1e100.net
Process iexplore.exe (4216) connected on port 80 (HTTP) --> CRL.VERISIGN.NET
Process iexplore.exe (4216) connected on port 80 (HTTP) --> a92-123-78-50.deploy.akamaitechnologies.com
Process iexplore.exe (4216) connected on port 80 (HTTP) --> CRL.VERISIGN.NET

Process svchost.exe (736) listens on ports: 28319
Process svchost.exe (788) listens on ports: 135 (RPC)
Process KService.exe (1952) listens on ports: 1947


Autoruns and critical files
---------------------------
<unsigned> cpqset.exe C:\Program Files\HPQ\Default Settings\cpqset.exe
<unsigned> HP Service Delivery Platform C:\Program Files\Easy Internet signup\HPSdpApp.exe
<unsigned> InstallShield Update Service C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> InstallShield Update Service C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
<unsigned> Logitech Desktop Messenger C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> Quick Launch Buttons C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
<unsigned> RealPlayer (32-bit) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<unsigned> sdra64.exe c:\windows\system32\sdra64.exe
<unsigned> SetPoint Files C:\Program Files\Logitech\SetPoint\KEM.exe
<unsigned> Sonic Update Manager C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

<verified> Agere SoftModem Messaging Applet C:\WINDOWS\AGRSMMSG.exe
<verified> Alps Pointing-device Driver C:\Program Files\Apoint2K\Apoint.exe
<verified> Apple Software Update C:\Program Files\Apple Software Update\SoftwareUpdate.exe
<verified> Delivery Manager C:\Program Files\Kontiki\KHost.exe
<verified> Java(TM) Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
<verified> LiveUpdate C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
<verified> NVIDIA nView Wizard, Version 47.16 C:\WINDOWS\system32\nwiz.exe
<verified> Productivity Software Common Files C:\WINDOWS\KHALMNPR.EXE
<verified> Windows Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
<verified> Windows Live Messenger C:\Program Files\Windows Live\Messenger\msnmsgr.exe
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll
<verified> Yahoo! Messenger C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe


Browser plugins
---------------
<unsigned> acroiefavclient.dll c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll
<unsigned> Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> DivX® Web Player C:\Program Files\DivX\DivX Web Player\npdivx32.dll
<unsigned> DivX® Web Player C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> MetaStream 3 Plugin C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
<unsigned> MetaStream 3 Plugin C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
<unsigned> Mozilla ActiveX control and plugin supp C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
<unsigned> npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> QuickTime Plug-in 7.5.5 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> RealPlayer(tm) G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<unsigned> unagiuninst.exe C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
<unsigned> Yahoo! activeX Plug-in Bridge C:\Program Files\Yahoo!\Common\npyaxmpb.dll

<verified> MusicManager Plugin C:\WINDOWS\Downloaded Program Files\MusicManagerUnInstaller.exe
<verified> AOL Media Playback Control C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll
<verified> BitDefender QuickScan C:\WINDOWS\Downloaded Program Files\qsax.ocx
<verified> Facebook Photo Uploader 5 C:\WINDOWS\Downloaded Program Files\PhotoUploader5.ocx
<verified> HP Diagnostics Program - Product Identi C:\WINDOWS\Downloaded Program Files\HPBasicDetection3.dll
<verified> HPProductDetails C:\WINDOWS\Downloaded Program Files\HPProductDetails.dll
<verified> Java Deployment Toolkit 6.0.200.2 C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
<verified> Java(TM) Platform SE 6 U20 c:\program files\java\jre6\bin\jp2ssv.dll
<verified> Java(TM) Platform SE 6 U20 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<verified> LogInfo Module C:\WINDOWS\Downloaded Program Files\LogInfo.dll
<verified> Microsoft Office 2003 C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
<verified> Microsoft® Windows Live Login Helper C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
<verified> Microsoft® Windows Media Player Firefox C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\System32\nwprovau.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-gb.dll
<verified> MSN Photo Upload Control C:\WINDOWS\Downloaded Program Files\PURen-us.dll
<verified> Norton Confidential C:\Program Files\Norton 360\Engine\3.8.0.41\CoIEPlg.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Picasa C:\Program Files\Google\Picasa3\npPicasa3.dll
<verified> Silverlight Plug-In c:\Program Files\Microsoft Silverlight\3.0.50106.0\npctrl.dll
<verified> Symantec Intrusion Detection C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.dll
<verified> SysInfo Module C:\WINDOWS\Downloaded Program Files\SysInfo.dll
<verified> Windows Genuine Advantage C:\Program Files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
<verified> Windows Live® Photo Gallery C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
<verified> Windows Presentation Foundation c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> Yahoo Application State Plugin C:\Program Files\Yahoo!\Shared\npYState.dll


Missing files
-------------
File not found: C:\DOCUME~1\Suliman\MYDOCU~1\Suliman\Biology\AIMWDI~1.EXE
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AIMWDInstallFilename"

File not found: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"AppleSyncNotifier"

File not found: C:\WINDOWS\System32\appmgmts.dll
referenced in: HKLM\System\ControlSet001\services\AppMgmt\Parameters\"ServiceDll"

File not found: C:\WINDOWS\System32\hidserv.dll
referenced in: HKLM\System\ControlSet001\services\HidServ\Parameters\"ServiceDll"

File not found: C:\WINDOWS\TEMP\255.tmp
referenced in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"nonep"

File not found: bjihva.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: c:\program files\veoh networks\veoh\plugins\reg\veohtoolbar.dll
referenced in: HKCR\CLSID\{D0943516-5076-4020-A3B5-AEFAF26AB263}\InprocServer32\(default)

File not found: hqopyc.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: ihihhx.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: lavwdy.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: nbmmyu.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: omgvax.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: qhzztu.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: ssqQkiHB.dll
referenced in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqQkiHB\"DllName"

File not found: uasonq.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: ulpwzr.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: wykfib.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: ygfywo.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: yvixog.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"

File not found: zahcku.dll
referenced in: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs"


Scan
----
<unsigned> MD5: 4970544d10652e0e7aba88f008972794 c:\program files\adobe\acrobat 6.0\acrobat\acroiefavclient.dll
<unsigned> MD5: ef0df7c71c25793a156dc370d552903f C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
<unsigned> MD5: b4767f8a4cce93cb91cc8dfaaa317bc8 C:\Program Files\Adobe\Acrobat 6.0\Distillr\adistres.dll
<unsigned> MD5: 3978f082274f723ad5a0a8058c2417dd C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
<unsigned> MD5: 628c28f3b0f227266573efd19faa9eb6 C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
<unsigned> MD5: 382d8d60e88e780bd1f031a9d2413605 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\iTunesMobileDevice.dll
<unsigned> MD5: daf66902f08796f9c694901660e5a64a C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
<unsigned> MD5: 7139a13dd292272e12ffaf2499ca7beb C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
<unsigned> MD5: a7e8525fa8788ca52f728414a65ba349 C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
<unsigned> MD5: cb154a2638d7a0f25938627b1788b9de C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL
<unsigned> MD5: 1ac2c58b587c70de64582ad41ee79fba C:\Program Files\Common Files\Real\Update_OB\realsched.exe
<unsigned> MD5: 22fd4e58d69969a9165721c797d54931 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
<unsigned> MD5: f12215976bc6fa7da26d277ed8cbc024 C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
<unsigned> MD5: a13d7cd76e026ba041e9eba4eef1eba0 C:\Program Files\DivX\DivX Web Player\npdivx32.dll
<unsigned> MD5: cfe503373cd9ed209df776bab6b2b6e4 C:\Program Files\Easy Internet signup\HPSdpApp.exe
<unsigned> MD5: c76d192fb605168e8050b450d143a6a8 C:\Program Files\HPQ\Default Settings\cpqset.exe
<unsigned> MD5: 5aa1eeb0afbe77a7c28221d5c38a4878 C:\Program Files\HPQ\Quick Launch Buttons\cpqinfo.dll
<unsigned> MD5: 25ac935acfe507424db8bf56580655ab C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
<unsigned> MD5: ddabbad88943743e432dc9db1e24a8d7 C:\Program Files\HPQ\Quick Launch Buttons\hpqPres.dll
<unsigned> MD5: e7e0cf2e13994dab2ce10dfef25bf610 C:\Program Files\HPQ\SHARED\HPQWMI.exe
<unsigned> MD5: a2ea5c73896ac06d2811a2ac157350bf C:\Program Files\Internet Explorer\plugins\nppdf32.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
<unsigned> MD5: 4f5d4f1592b4d712bd61556b8c7e28b5 C:\Program Files\iPod\bin\iPodService.Resources\en.lproj\iPodServiceLocalized.dll
<unsigned> MD5: 51ca810fb3c11370f3904165036a31a5 C:\Program Files\iPod\bin\iPodService.Resources\iPodService.dll
<unsigned> MD5: 0898cc816b28de1dbc04c91909b1b7e4 C:\Program Files\iTunes\iTunesHelper.Resources\en.lproj\iTunesHelperLocalized.dll
<unsigned> MD5: f6cf001db2da7bfdb3f785e005530481 C:\Program Files\iTunes\iTunesHelper.Resources\iTunesHelper.dll
<unsigned> MD5: 2d315bb5a7a4c6c265192b05db53034f C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\Java\jre6\bin\msvcr71.dll
<unsigned> MD5: 84afb4711d4109f29d881ea7cfc69f47 C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\backweb.dll
<unsigned> MD5: dac29ad3de12e0cac510de0fb1cbec3b C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\bwfiles.dll
<unsigned> MD5: bb8bc9bc13d87b2c855b2bd50fbd1dcf C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\bwsec.dll
<unsigned> MD5: f2d0ad019503c48d85c5f70771288b63 C:\Program Files\Logitech\Desktop Messenger\8876480\8.1.1.50-8876480SL\Program\clntutil.dll
<unsigned> MD5: 8c620f16e1d024049046f93b12e38855 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWfiles-8876480.dll
<unsigned> MD5: 0eafb882ff397f14e37b7972d09273c0 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
<unsigned> MD5: b75637da0a24b4b9d12a87d02fc437fe C:\Program Files\Logitech\SetPoint\KEM.exe
<unsigned> MD5: 130a0d4d3f2cc910a836660f368ac208 C:\Program Files\Logitech\SetPoint\KEMHook.dll
<unsigned> MD5: 40a291e38574e6bf823146134b58dea5 C:\Program Files\Logitech\SetPoint\KEMUI.dll
<unsigned> MD5: 7324166ab00eb96b1c43e622862204c4 C:\Program Files\Logitech\SetPoint\KHALAPI.DLL
<unsigned> MD5: bec35624843b08db9dcd11a5a41a1d14 C:\Program Files\Logitech\SetPoint\KHALHPP.DLL
<unsigned> MD5: c67828453693dc12193df462c38029b7 C:\Program Files\Logitech\SetPoint\KHALITCH.DLL
<unsigned> MD5: 8dc14d387c8466c0cc5ee4ceb2200921 C:\Program Files\Logitech\SetPoint\KHALMW.dll
<unsigned> MD5: d6ff1708737814952d7756209806e70c C:\Program Files\Logitech\SetPoint\lgscroll.dll
<unsigned> MD5: c2c7fed757494a4302b216885c95bf82 C:\Program Files\Logitech\SetPoint\Macros\MacroBT.dll
<unsigned> MD5: f09c7a5d6f5c28520e3154497db71408 C:\Program Files\Logitech\SetPoint\Macros\MacroCore.dll
<unsigned> MD5: cb7524c21727404bd3140dca32deb7de C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
<unsigned> MD5: a13d7cd76e026ba041e9eba4eef1eba0 C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
<unsigned> MD5: bb2fd4632cbf410c584bab0be026b733 C:\Program Files\Mozilla Firefox\plugins\npmozax.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
<unsigned> MD5: 1d0323cb4d62cfeaa8ac2a50b9fad016 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
<unsigned> MD5: b49a14eb7fdd597dc4cf8160ba4be245 C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
<unsigned> MD5: c2fa196f8dd651f04e120c7214f18fd1 C:\Program Files\O2\bin\libeay32.dll
<unsigned> MD5: dddc336bf8d60e7d5c3f60e026d26c96 C:\Program Files\O2\bin\sprtsync.dll
<unsigned> MD5: 4d58c8791fd2d0ed60f61fd298bc13d4 C:\Program Files\Opera\opera.dll
<unsigned> MD5: afdcc9f772b713c98fa28392e7a4bf4a C:\Program Files\QuickTime\QTSystem\QuickTime.qts
<unsigned> MD5: 5cbffa43360c8b07d9735218c1aa762c C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
<unsigned> MD5: 92767146e5d2677ea014c8c676f08bae C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.dll
<unsigned> MD5: e2b8c15caab06c6389184f23bac5ad6f C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
<unsigned> MD5: 3d304c8a8aa570169d87b0fc1701a864 C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
<unsigned> MD5: 4b2f61dca7db661570828dce5d302525 C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
<unsigned> MD5: e3f974bdedc336490a2e6f3a703f016a C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE
<unsigned> MD5: f80eec5e1d6cdf82cb974daada0c57dd C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
<unsigned> MD5: 5f974fde801c73952770736becde11e7 C:\Program Files\Viewpoint\Common\ViewpointService.exe
<unsigned> MD5: b49a14eb7fdd597dc4cf8160ba4be245 C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
<unsigned> MD5: 6efe29f123e58a6333f50beca863da42 C:\Program Files\Yahoo!\Common\npyaxmpb.dll
<unsigned> MD5: 561fa2abb31dfa8fab762145f81667c2 C:\Program Files\Yahoo!\Messenger\msvcp71.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\Yahoo!\Messenger\msvcr71.dll
<unsigned> MD5: 12e62d8b1ace8d5d996b0667a24be51a C:\Program Files\Yahoo!\Messenger\res_msgr.dll
<unsigned> MD5: b4b4eb2f8849e93fe5fece11e52c5930 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
<unsigned> MD5: 9e2c13a26926ebb05015b8b41b4298c5 C:\PROGRA~1\Logitech\DESKTO~1\8876480\811~1.50-\Program\EN\ClientRc.dll
<unsigned> MD5: 3fea9d2edf23b0283c7a66c8dea380bd C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<unsigned> MD5: cdbe35ea59bc9223e4f800bd1db82d27 C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<unsigned> MD5: 5002991ada7920b35e46e7ea80c134fe C:\WINDOWS\Downloaded Program Files\isusweb.dll
<unsigned> MD5: 6f678556a6fce04fc94f3435f6313705 C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
<unsigned> MD5: a8e27c344efacfa7ce7d72a5fde473ea C:\WINDOWS\PRAGMAmuetetbvpu\PRAGMAc.dll
<unsigned> MD5: 188c35ed1ef2c869b06f7c75278eba11 C:\WINDOWS\system32\AdobePDF.dll
<unsigned> MD5: efeb8c7dfa7056c5fac338ba6cdef599 C:\WINDOWS\system32\cpwmon2k.dll
<unsigned> MD5: ac491eb706c48b89a638b239dc3bcfcb C:\WINDOWS\system32\drivers\CDAC11BA.EXE
<unsigned> MD5: 69419792390122eefd84e598d896715b C:\WINDOWS\system32\drivers\CDAC15BA.sys
<unsigned> MD5: f59c3569a2f2c464bb78cb1bdcdca55e C:\WINDOWS\system32\drivers\iviaspi.sys
<unsigned> MD5: 444f122e68db44c0589227781f3c8b3f C:\WINDOWS\system32\drivers\pfc.sys
<unsigned> MD5: d2654321192037bae90204e2fa6697ce C:\WINDOWS\system32\DRIVERS\sea1bus.sys
<unsigned> MD5: 8146d9ec5142bd364956d3807f09ca9a C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
<unsigned> MD5: afe065da777dc4408c64df5c87472bb9 C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
<unsigned> MD5: a0bbd60222ad053d52f3a5c4f79904c7 C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
<unsigned> MD5: 6549babfc3362f1621a8c0eff288fb14 C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
<unsigned> MD5: 957510ab44e84497733f53322351f6e8 C:\WINDOWS\system32\DRIVERS\sea1obex.sys
<unsigned> MD5: c1517e6a7ce1191ab076472bdf1b0e6e C:\WINDOWS\system32\DRIVERS\sea1unic.sys
<unsigned> MD5: 6d871b6200a5ea1f7d02dc71ffca566f C:\WINDOWS\system32\Macromed\Common\SwSupport.dll
<unsigned> MD5: 561fa2abb31dfa8fab762145f81667c2 C:\WINDOWS\system32\msvcp71.dll
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\WINDOWS\system32\msvcr71.dll
<unsigned> MD5: 859ff0797f854101a3feccc684ba5252 C:\WINDOWS\system32\pragmabbr.dll
<unsigned> MD5: be15f7e9d6104d0cde29d766c57b6d29 C:\WINDOWS\system32\pragmaserf.dll
<unsigned> MD5: d4bd2eeab07fef323f0a0ceecc954f51 C:\WINDOWS\system32\rasmans.dll
<unsigned> MD5: bd9b4450d00d4ac891407b8c0e08de9c C:\WINDOWS\system32\Syncor11.dll
<unsigned> MD5: eb9a99ab5d17b1727034ff191e6448d7 C:\WINDOWS\wanmpsvc.exe


No file uploaded.

Scan finished - communication took 8 sec
Total traffic - 0.09 MB sent, 3.82 KB recvd
Scanned 1415 files and modules - 813 seconds

==============================================================================



any help will be greatly appreciated
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby sule » Tue May 04, 2010 10:40 pm

please help!
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby sule » Fri May 07, 2010 9:22 am

help needed
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Fri May 07, 2010 4:51 pm

Hello, welcome to the Myantispyware forum.

Run HijackThis. Click "Do a system scan only" button.
Now select the following entries by placing a tick in the left hand check box, if still present:
Code: Select all
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [nonep] C:\WINDOWS\TEMP\255.tmp
O20 - AppInit_DLLs: nbmmyu.dll ihihhx.dll zahcku.dll lavwdy.dll ulpwzr.dll uasonq.dll hqopyc.dll bjihva.dll qhzztu.dll yvixog.dll ygfywo.dll omgvax.dll wykfib.dll
O20 - Winlogon Notify: ssqQkiHB - ssqQkiHB.dll (file missing)

Once you have selected all entries, close all running programs then click once on the "fix checked" button.
Reboot your computer.

Please follow the instructions: How to backup Windows registry and make a backup.

Download TDSSKiller from here and unzip to your desktop.
Open tdsskiller folder and run TDSSKiller.
Follow the prompts.

If TDSSKiller will not run, please rename it to myapp.exe and try again!

Download GMER Antirootkit from here.
Mirror location: here. This version will download a zip. If you use this mirror, please unzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. a1afk10a.exe) and allow the gmer.sys driver to load if asked.
For mirror version, double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Download RSIT by random/random from here and save it to your desktop.
* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open. If it does not automatically open, then these logs can be found at %systemdrive%\rsit folder (typically C:\rsit)



Post back with GMER log + both RSIT logs. Post each log in separate post.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: Google redirect problem; Malware/infected registry value

Postby sule » Wed May 19, 2010 12:37 pm

Thank you so much for your help and apologies for my late reply.

I ran GMER three times but it always ended with me getting a stop blue screen and a message from windows saying it had recovered from a serious error in one of its drivers. However when I ran Windows own error checking tool it reported no problems? As such, was not able to get a GMER log to post. but here is my RSIT one

Logfile of random's system information tool 1.07 (written by random/random)
Run by suliman at 2010-05-19 13:20:48
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 22 GB (29%) free of 76 GB
Total RAM: 1023 MB (63% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll [2009-08-22 378736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL [2009-08-22 107896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-27 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-04-27 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-04-07 143360]
{D0943516-5076-4020-A3B5-AEFAF26AB263} - Veoh Browser Plug-in - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll []
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll [2009-08-22 378736]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2003-10-08 159744]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-09-03 88363]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-04-07 4730880]
"nwiz"=nwiz.exe /install []
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2004-03-01 200766]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-08-19 290816]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-06-16 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-06-16 81920]
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2004-10-21 29696]
"AIMWDInstallFilename"=C:\DOCUME~1\Suliman\MYDOCU~1\Suliman\Biology\AIMWDI~1.EXE []
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe []
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-05-14 180269]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"kdx"=C:\Program Files\Kontiki\KHost.exe [2008-02-27 1032376]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"Aim6"= []
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sorrd.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymEFA.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\Sports Interactive\Football Manager 2006\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2006\fm.exe:*:Enabled:Football Manager 2006"
"C:\Documents and Settings\Suliman\My Documents\Suliman\Biology\Exam papers\aim\aim.exe"="C:\Documents and Settings\Suliman\My Documents\Suliman\Biology\Exam papers\aim\aim.exe:LocalSubNet:Disabled:AOL Instant Messenger"
"C:\Program Files\AOL 9.0a\waol.exe"="C:\Program Files\AOL 9.0a\waol.exe:*:Enabled:AOL 9.0a"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Documents and Settings\Suliman\My Documents\Suliman\Other\Lemonade Tycoon\Lemonade.exe"="C:\Documents and Settings\Suliman\My Documents\Suliman\Other\Lemonade Tycoon\Lemonade.exe:*:Enabled:Lemonade"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Documents and Settings\Suliman\My Documents\Suliman\Psychology\Stress Coursework\aim\aim.exe"="C:\Documents and Settings\Suliman\My Documents\Suliman\Psychology\Stress Coursework\aim\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\Napster\napster.exe"="C:\Program Files\Napster\napster.exe:*:Enabled:Napster"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\O2\bin\wificfg.exe"="C:\Program Files\O2\bin\wificfg.exe:*:Enabled:sprtcmd.exe"
"C:\Program Files\O2\agent\bin\bcont.exe"="C:\Program Files\O2\agent\bin\bcont.exe:*:Enabled:bcont.exe"
"C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe"="C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe:*:Enabled:ssrc.exe"
"C:\Program Files\O2\agent\bin\bcont_nm.exe"="C:\Program Files\O2\agent\bin\bcont_nm.exe:*:Enabled:bcont_nm.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1139965684\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1139965684\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Spotify\spotify.exe"="C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AIM"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Sports Interactive\Football Manager 2010 Demo\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2010 Demo\fm.exe:*:Enabled:Football Manager 2010 Demo"
"C:\Program Files\Opera\opera.exe"="C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0a\waol.exe"="C:\Program Files\AOL 9.0a\waol.exe:*:Enabled:AOL 9.0a"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 2 months======

2010-05-19 13:20:48 ----D---- C:\rsit
2010-05-19 12:10:17 ----A---- C:\TDSSKiller.2.3.0.0_19.05.2010_12.10.17_log.txt
2010-05-19 12:08:15 ----D---- C:\WINDOWS\ERDNT
2010-05-19 12:03:09 ----D---- C:\Program Files\ERUNT
2010-05-14 21:48:21 ----SHD---- C:\WINDOWS\system32\l0wsec
2010-05-13 22:43:48 ----D---- C:\Documents and Settings\All Users\Application Data\Real
2010-05-04 00:14:42 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Spotify
2010-05-02 17:16:58 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Sports Interactive
2010-05-02 12:42:11 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\QuickScan
2010-05-02 05:36:55 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\acccore
2010-05-01 01:30:50 ----D---- C:\Program Files\Trend Micro
2010-04-30 01:26:10 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Opera
2010-04-30 01:12:58 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\AdobeUM
2010-04-30 01:08:31 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Mozilla
2010-04-29 23:57:18 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Malwarebytes
2010-04-29 23:56:14 ----RD---- C:\Program Files\Norton Support
2010-04-29 23:56:14 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Adobe
2010-04-29 23:53:23 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Logitech
2010-04-29 23:53:06 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Real
2010-04-29 23:51:51 ----ASH---- C:\Documents and Settings\suliman.ARSHAD\Application Data\desktop.ini
2010-04-29 23:51:48 ----SD---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Microsoft
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Symantec
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Sun
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Sonic
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Macromedia
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Identities
2010-04-29 23:51:48 ----D---- C:\Documents and Settings\suliman.ARSHAD\Application Data\Apple Computer
2010-04-29 22:46:09 ----A---- C:\youporn.com.lnk
2010-04-29 22:46:09 ----A---- C:\po*n.com.lnk
2010-04-29 22:46:09 ----A---- C:\nudetube.com.lnk
2010-04-29 22:36:19 ----A---- C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-29 22:36:17 ----D---- C:\WINDOWS\PRAGMAmuetetbvpu
2010-04-28 14:05:15 ----A---- C:\WINDOWS\resetlog.txt
2010-04-28 12:41:59 ----A---- C:\TDSSKiller.2.2.8.1_28.04.2010_12.41.59_log.txt
2010-04-28 12:17:15 ----D---- C:\Documents and Settings\All Users\Application Data\avG
2010-04-27 22:05:53 ----A---- C:\WINDOWS\system32\javaws.exe
2010-04-27 22:05:53 ----A---- C:\WINDOWS\system32\javaw.exe
2010-04-27 22:05:53 ----A---- C:\WINDOWS\system32\java.exe
2010-04-25 17:20:52 ----D---- C:\Documents and Settings\All Users\Application Data\Sports Interactive
2010-04-25 16:53:17 ----A---- C:\WINDOWS\system32\XAudio2_6.dll
2010-04-25 16:53:17 ----A---- C:\WINDOWS\system32\XAPOFX1_4.dll
2010-04-25 16:53:16 ----A---- C:\WINDOWS\system32\xactengine3_6.dll
2010-04-25 16:53:14 ----A---- C:\WINDOWS\system32\X3DAudio1_7.dll
2010-04-25 16:53:13 ----A---- C:\WINDOWS\system32\XAudio2_5.dll
2010-04-25 16:53:12 ----A---- C:\WINDOWS\system32\xactengine3_5.dll
2010-04-25 16:53:09 ----A---- C:\WINDOWS\system32\D3DCompiler_42.dll
2010-04-25 16:53:08 ----A---- C:\WINDOWS\system32\d3dcsx_42.dll
2010-04-25 16:53:07 ----A---- C:\WINDOWS\system32\d3dx11_42.dll
2010-04-25 16:53:06 ----A---- C:\WINDOWS\system32\d3dx10_42.dll
2010-04-25 16:53:05 ----A---- C:\WINDOWS\system32\D3DX9_42.dll
2010-04-25 16:53:05 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2010-04-25 16:53:05 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2010-04-25 16:53:04 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2010-04-25 16:53:01 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2010-04-25 16:53:01 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2010-04-25 16:53:01 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2010-04-25 16:53:00 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2010-04-25 16:52:59 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2010-04-25 16:52:59 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2010-04-25 16:52:59 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2010-04-25 16:52:57 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2010-04-25 16:52:57 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2010-04-25 16:52:57 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2010-04-25 16:52:56 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2010-04-25 16:52:55 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2010-04-25 16:52:55 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2010-04-25 16:52:55 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2010-04-25 16:52:54 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2010-04-25 16:52:54 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2010-04-25 16:52:54 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2010-04-25 16:52:52 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2010-04-25 16:52:52 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2010-04-25 16:52:51 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2010-04-25 16:52:51 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2010-04-25 16:52:50 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2010-04-25 16:52:50 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2010-04-25 16:52:50 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2010-04-25 16:52:48 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2010-04-25 16:52:48 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2010-04-25 16:52:47 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2010-04-25 16:52:46 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2010-04-25 16:52:46 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2010-04-25 16:52:45 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2010-04-25 16:52:44 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2010-04-25 16:52:42 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2010-04-25 16:52:42 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2010-04-25 16:52:41 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2010-04-25 16:52:40 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2010-04-25 16:52:40 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2010-04-25 16:52:40 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2010-04-25 16:52:39 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2010-04-25 16:52:38 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2010-04-25 16:52:38 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2010-04-25 16:52:37 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2010-04-25 16:52:37 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2010-04-25 16:52:37 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2010-04-25 16:52:36 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2010-04-25 16:52:34 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2010-04-25 16:52:28 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2010-04-25 16:52:28 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2010-04-25 16:52:24 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2010-04-25 16:52:24 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2010-04-25 16:52:22 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2010-04-25 16:52:21 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2010-04-25 16:52:21 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2010-04-25 16:52:21 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2010-04-25 16:52:20 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2010-04-25 16:52:20 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2010-04-25 16:52:20 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2010-04-25 16:52:19 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2010-04-25 16:52:18 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2010-04-25 16:52:12 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2010-04-25 16:52:11 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2010-04-25 16:52:11 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2010-04-25 16:52:10 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2010-04-25 16:52:10 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2010-04-25 16:52:10 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2010-04-25 16:52:09 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2010-04-25 16:52:08 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2010-04-25 16:52:08 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2010-04-25 16:52:03 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2010-04-25 16:45:57 ----D---- C:\WINDOWS\Logs
2010-04-25 16:28:00 ----HD---- C:\Program Files\Zero G Registry
2010-04-25 13:13:34 ----SHD---- C:\WINDOWS\system32\lowsec
2010-04-16 23:07:18 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-04-16 23:06:47 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-04-16 22:29:47 ----N---- C:\WINDOWS\system32\browserchoice.exe
2010-04-15 15:35:33 ----HDC---- C:\WINDOWS\$NtUninstallKB952011$
2010-04-15 00:16:42 ----HDC---- C:\WINDOWS\ie8
2010-04-14 17:45:32 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-04-14 17:44:53 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-04-14 17:44:26 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 17:43:52 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 17:43:27 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-04-14 17:39:51 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-04-14 17:39:09 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-04-14 17:38:50 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 17:38:34 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-04-14 17:36:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-04-14 17:35:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-04-14 17:35:38 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 17:34:13 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 17:33:17 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-04-14 17:32:06 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-14 17:31:24 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-04-14 17:28:34 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$

======List of files/folders modified in the last 2 months======

2010-05-19 13:22:11 ----D---- C:\WINDOWS\Temp
2010-05-19 13:18:32 ----D---- C:\WINDOWS\system32
2010-05-19 13:16:12 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2010-05-19 12:45:05 ----D---- C:\WINDOWS\Help
2010-05-19 12:32:39 ----D---- C:\WINDOWS
2010-05-19 12:13:16 ----D---- C:\WINDOWS\system32\drivers
2010-05-19 12:10:24 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-19 12:03:09 ----RD---- C:\Program Files
2010-05-19 00:29:37 ----SHD---- C:\WINDOWS\Installer
2010-05-19 00:28:52 ----D---- C:\Program Files\Opera
2010-05-04 19:21:04 ----A---- C:\Program Files\runtimesetup.ini
2010-05-04 19:21:04 ----A---- C:\Program Files\RuntimeSetup.exe
2010-05-04 19:16:41 ----RSD---- C:\WINDOWS\Fonts
2010-05-04 19:16:00 ----D---- C:\Program Files\i-assess
2010-05-02 12:42:10 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-04-30 23:25:37 ----SHD---- C:\RECYCLER
2010-04-30 20:47:07 ----HD---- C:\WINDOWS\inf
2010-04-30 01:07:58 ----D---- C:\Program Files\Mozilla Firefox
2010-04-30 00:25:10 ----D---- C:\Program Files\Kontiki
2010-04-30 00:03:53 ----HD---- C:\Program Files\InstallShield Installation Information
2010-04-30 00:03:52 ----D---- C:\Documents and Settings\All Users\Application Data\Napster
2010-04-30 00:03:48 ----D---- C:\Program Files\Common Files
2010-04-29 23:52:35 ----AC---- C:\WINDOWS\OEWABLog.txt
2010-04-29 23:51:45 ----D---- C:\Documents and Settings
2010-04-28 14:58:40 ----SD---- C:\WINDOWS\Tasks
2010-04-28 12:17:15 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-04-27 22:06:43 ----D---- C:\Program Files\Common Files\Java
2010-04-27 01:12:53 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2010-04-25 16:53:20 ----D---- C:\WINDOWS\system32\DirectX
2010-04-25 16:52:18 ----RSD---- C:\WINDOWS\assembly
2010-04-25 16:51:55 ----D---- C:\WINDOWS\Microsoft.NET
2010-04-25 16:51:32 ----HD---- C:\WINDOWS\msdownld.tmp
2010-04-25 16:28:00 ----D---- C:\Program Files\Sports Interactive
2010-04-16 23:06:04 ----D---- C:\Program Files\Java
2010-04-16 22:35:56 ----RSHD---- C:\WINDOWS\system32\dllcache
2010-04-16 22:35:56 ----D---- C:\WINDOWS\system32\CatRoot
2010-04-16 22:35:52 ----D---- C:\WINDOWS\ie8updates
2010-04-16 22:35:38 ----A---- C:\WINDOWS\imsins.BAK
2010-04-15 11:48:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-04-15 00:27:38 ----D---- C:\WINDOWS\system32\en-US
2010-04-15 00:27:37 ----D---- C:\WINDOWS\Media
2010-04-15 00:27:36 ----D---- C:\Program Files\Internet Explorer
2010-04-15 00:21:26 ----HD---- C:\WINDOWS\$hf_mig$
2010-04-14 18:53:26 ----D---- C:\WINDOWS\AppPatch
2010-04-14 18:53:26 ----D---- C:\Program Files\Microsoft Silverlight
2010-04-14 17:38:05 ----AC---- C:\WINDOWS\vbaddin.ini
2010-04-14 17:36:18 ----D---- C:\Program Files\Movie Maker
2010-04-06 10:52:56 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 35840]
R1 BHDrvx86;Symantec Heuristics Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
R1 ccHP;Symantec Hash Provider; C:\WINDOWS\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2008-07-31 9072]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2008-07-31 9200]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\WINDOWS\system32\drivers\N360\0308000.029\SRTSPX.SYS [2009-08-22 43696]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\WINDOWS\System32\Drivers\N360\0308000.029\SYMTDI.SYS [2009-08-22 217136]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CdaC15BA;CdaC15BA; \??\C:\WINDOWS\system32\drivers\CdaC15BA.SYS []
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2004-03-02 76288]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-02-02 100384]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-09-03 1268204]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2003-10-08 94601]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-08-04 341760]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-08-20 26600]
R3 Iviaspi;IVI ASPI Shell; C:\WINDOWS\system32\drivers\iviaspi.sys [2003-09-10 21060]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-04-07 1382634]
R3 Pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-01-13 612032]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SymIMMP;SymIMMP; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2009-08-18 36400]
R3 tiumfwl;tiumfwl; C:\WINDOWS\system32\drivers\tiumfwl.sys [2003-02-19 42092]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-04 17024]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090604.001\IDSxpx86.sys []
S1 jnv4_mib;jnv4_mib; \??\C:\DOCUME~1\Razwan\LOCALS~1\Temp\jnv4_mib.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 EraserUtilDrv10910;EraserUtilDrv10910; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2004-10-21 24671]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2004-10-21 38691]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2004-10-21 71535]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVENG.SYS []
S3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090608.007\NAVEX15.SYS []
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM); C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS); C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM); C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 90800]
S3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SRTSP;Symantec Real Time Storage Protection; C:\WINDOWS\System32\Drivers\N360\0308000.029\SRTSP.SYS [2009-08-22 308272]
S3 SYMFW;Symantec Network Filter Driver; \??\C:\WINDOWS\system32\drivers\N360\0300000.087\SYMFW.SYS []
S3 SYMIDS;Symantec Network Filter Driver; \??\C:\WINDOWS\system32\drivers\N360\0300000.087\SYMIDS.SYS []
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20090325.001\symidsco.sys []
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\WINDOWS\system32\DRIVERS\SymIM.sys [2009-08-18 36400]
S3 SYMNDIS;Symantec Network Filter Driver; \??\C:\WINDOWS\system32\drivers\N360\0300000.087\SYMNDIS.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 C-DillaCdaC11BA;C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [2006-04-11 52736]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-27 153376]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2008-02-27 3072184]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 N360;Norton 360; C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2004-04-07 73728]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2); C:\Program Files\O2\bin\sprtsvc.exe [2007-06-07 202280]
R2 SymWSC;SymWMI Service; C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [2004-08-05 308352]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2003-08-27 65536]
S2 aawserviceSymWSC;Lavasoft Ad-Aware Service aawserviceSymWSC; C:\WINDOWS\system32\actmoviem.exe srv []
S2 ClipSrv RemoteAssist;ClipBook ClipSrv RemoteAssist; C:\WINDOWS\system32\alrsvck.exe [2004-08-04 66560]
S2 TapiSrv ACS;Telephony TapiSrv ACS; C:\WINDOWS\system32\AdobePDFs.exe srv []
S2 WANMiniportService ACS;WAN Miniport (ATW) Service WANMiniportService ACS; C:\WINDOWS\system32\ac3filtera.exe srv []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-08 138168]
S3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\SHARED\HPQWMI.exe [2004-07-27 98304]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17 7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SPTISRV;Sony SPTI Service; C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe [2002-07-23 65536]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17 311872]
S3 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe [2007-07-27 382320]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Thu May 20, 2010 5:19 pm

If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.
When the tool is finished, it will produce a log for you.If the log does not automatically open, then it can be found at %systemdrive%\combofix.txt (typically C:\combofix.txt).

If ComboFix will not run, please rename it to myapp.exe and try again!

Post back with combofix log.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: Google redirect problem; Malware/infected registry value

Postby sule » Fri May 21, 2010 1:40 am

thanks for your help...here is my combofix log (and it sure took a while!)

ComboFix 10-05-20.07 - suliman 21/05/2010 1:40.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.683 [GMT 1:00]
Running from: c:\documents and settings\suliman.ARSHAD\My Documents\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Spybot - Search & Destroy\sqlite3.dll
c:\documents and settings\Spybot - Search & Destroy\Update.exe
c:\windows\PRAGMAmuetetbvpu
c:\windows\PRAGMAmuetetbvpu\PRAGMAcfg.ini
c:\windows\system32\6to4svcd.exe
c:\windows\system32\afjtrylq.ini
c:\windows\system32\dbgkptrv.ini
c:\windows\system32\dogablii.ini
c:\windows\system32\eaglrgtk.ini
c:\windows\system32\jrlsecil.ini
c:\windows\system32\kirimuuu.ini
c:\windows\system32\l0wsec
c:\windows\system32\l0wsec\l0cal.ds
c:\windows\system32\l0wsec\us3r.ds
c:\windows\system32\l0wsec\us3r.ds.lll
c:\windows\system32\lllopmax.ini
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
c:\windows\system32\sdra73.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AAWSERVICESYMWSC
-------\Legacy_CLIPSRV_REMOTEASSIST
-------\Legacy_MESSENGERWSCSVC
-------\Legacy_TAPISRV_ACS
-------\Legacy_WANMINIPORTSERVICE_ACS
-------\Service_aawserviceSymWSC
-------\Service_ClipSrv RemoteAssist
-------\Service_Messengerwscsvc
-------\Service_TapiSrv ACS
-------\Service_WANMiniportService ACS


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-19 16:28 . 2010-05-19 16:28 -------- d--h--w- c:\documents and settings\suliman.ARSHAD\InstallAnywhere
2010-05-19 12:20 . 2010-05-19 12:23 -------- d-----w- C:\rsit
2010-05-19 11:03 . 2010-05-19 11:03 -------- d-----w- c:\program files\ERUNT
2010-05-03 23:14 . 2010-05-19 18:54 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Spotify
2010-05-03 23:14 . 2010-05-19 18:54 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Spotify
2010-05-02 16:16 . 2010-05-02 16:16 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Sports Interactive
2010-05-02 12:00 . 2010-05-20 23:50 145 --s-a-w- c:\windows\system32\2645108291.dat
2010-05-02 11:42 . 2010-05-02 11:55 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\QuickScan
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\acccore
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\AOL OCP
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\AOL
2010-05-01 00:30 . 2010-05-01 00:30 -------- d-----w- c:\program files\Trend Micro
2010-04-30 21:38 . 2010-05-21 01:10 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Tracing
2010-04-30 00:26 . 2010-04-30 00:26 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Opera
2010-04-30 00:12 . 2010-04-30 00:12 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\AdobeUM
2010-04-30 00:12 . 2010-04-30 00:12 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Adobe
2010-04-30 00:08 . 2010-04-30 00:08 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Mozilla
2010-04-30 00:00 . 2010-04-30 00:00 -------- d-sh--w- c:\documents and settings\suliman.ARSHAD\PrivacIE
2010-04-29 22:58 . 2010-04-29 22:58 90384 ----a-w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:57 . 2010-04-29 22:57 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\SupportSoft
2010-04-29 22:57 . 2010-04-29 22:57 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Malwarebytes
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----r- c:\program files\Norton Support
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Symantec
2010-04-29 22:53 . 2010-04-29 22:53 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Logitech
2010-04-28 12:16 . 2010-04-28 12:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-28 11:17 . 2010-04-28 11:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-28 11:17 . 2010-04-28 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-25 16:20 . 2010-04-25 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-04-25 15:52 . 2008-10-10 03:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-04-25 15:45 . 2010-04-25 15:45 -------- d-----w- c:\windows\Logs
2010-04-25 15:28 . 2010-04-25 15:32 -------- d--h--w- c:\program files\Zero G Registry
2010-04-25 15:26 . 2010-04-25 15:26 -------- d--h--w- c:\documents and settings\Suli\InstallAnywhere
2010-04-25 12:13 . 2010-04-25 12:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 01:14 . 2007-02-25 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-05-19 11:12 . 2004-08-04 08:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-05-18 23:28 . 2009-02-20 02:30 -------- d-----w- c:\program files\Opera
2010-05-04 18:21 . 2008-11-30 11:14 200846 ----a-w- c:\program files\RuntimeSetup.exe
2010-05-04 18:21 . 2008-11-30 11:14 1068 ----a-w- c:\program files\runtimesetup.ini
2010-05-04 18:16 . 2008-11-30 11:04 -------- d-----w- c:\program files\i-assess
2010-05-02 03:09 . 2007-06-04 15:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-30 22:25 . 2010-04-30 21:43 344 ----a-w- c:\documents and settings\suliman.ARSHAD\Application Data\wklnhst.dat
2010-04-29 23:25 . 2008-04-12 19:00 -------- d-----w- c:\program files\Kontiki
2010-04-29 23:03 . 2004-11-19 00:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 23:03 . 2005-11-10 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-04-28 11:43 . 2004-08-04 00:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-27 21:06 . 2004-11-19 00:24 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 21:05 . 2010-04-16 22:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 00:12 . 2006-11-04 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-04-26 03:37 . 2009-04-07 00:49 -------- d-----w- c:\documents and settings\Suli\Application Data\Spotify
2010-04-25 16:19 . 2009-01-20 17:34 -------- d-----w- c:\documents and settings\Suli\Application Data\Sports Interactive
2010-04-25 15:28 . 2006-10-25 12:03 -------- d-----w- c:\program files\Sports Interactive
2010-04-16 22:06 . 2004-11-19 00:24 -------- d-----w- c:\program files\Java
2010-04-14 17:53 . 2009-06-10 20:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2004-08-04 08:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-01 20:33 . 2009-06-01 20:33 3723256 ----a-w- c:\program files\channel4_on_demand.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"AGRSMMSG"="AGRSMMSG.exe" [2004-09-03 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 290816]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-14 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Suli\Start Menu\Programs\Startup\
santa.bat [2009-4-25 178]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-4-28 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-11-6 581632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\Supportsoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139965684\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15058:TCP"= 15058:TCP:BitComet 15058 TCP
"15058:UDP"= 15058:UDP:BitComet 15058 UDP
"2656:UDP"= 2656:UDP:Windows Media Format SDK (napster.exe)
"2657:UDP"= 2657:UDP:Windows Media Format SDK (napster.exe)
"17936:TCP"= 17936:TCP:BitComet 17936 TCP
"17936:UDP"= 17936:UDP:BitComet 17936 UDP

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [14/04/2010 18:40 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [14/04/2010 18:40 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [14/04/2010 18:40 482432]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [14/04/2010 18:40 117640]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [15/01/2009 18:16 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/05/2009 22:30 101936]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys [08/06/2009 21:02 276344]
S1 jnv4_mib;jnv4_mib;\??\c:\docume~1\Razwan\LOCALS~1\Temp\jnv4_mib.sys --> c:\docume~1\Razwan\LOCALS~1\Temp\jnv4_mib.sys [?]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [20/10/2007 23:39 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [20/10/2007 23:39 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [20/10/2007 23:39 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [20/10/2007 23:39 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [20/10/2007 23:40 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [20/10/2007 23:39 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [20/10/2007 23:39 90800]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2007-10-23 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 13:58]

2009-04-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-11-19 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: o2.co.uk\*.broadband
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\suliman.ARSHAD\Application Data\Mozilla\Firefox\Profiles\7zmprs3m.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Opera\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-AIMWDInstallFilename - c:\docume~1\Suliman\MYDOCU~1\Suliman\Biology\AIMWDI~1.EXE
HKLM-Run-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
SafeBoot-klmdb.sys
SafeBoot-sorrd.sys
AddRemove-AOL Instant Messenger - c:\documents and settings\Suliman\My Documents\Suliman\Biology\uninstll.exe
AddRemove-LucasArts' Curse of Monkey Island - c:\program files\Railroad Tycoon 3\ LucasArts\Curse\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 02:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?9?3?1??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8669ED01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7672fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e5cb8
\Driver\atapi -> atapi.sys @ 0xf747f7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf733dbc3
PacketIndicateHandler -> NDIS.sys @ 0xf732ba0b
SendHandler -> NDIS.sys @ 0xf733fb31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\program files\AOL 9.0a\aoltray.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\O2\bin\sprtcmd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-21 02:23:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 01:23

Pre-Run: 24,336,977,920 bytes free
Post-Run: 26,593,652,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - AED595921E077288BC1C4A4ADD9044FB
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Fri May 21, 2010 6:14 pm

Open notepad, copy/paste the text in the code box below into notepad:
Code: Select all
Driver::
jnv4_mib

File::
c:\documents and settings\Suli\Start Menu\Programs\Startup\santa.bat

Name the Notepad file CFScript and Save it to your desktop. Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
Image
When finished, it will produce a report for you.

Post back with a combofix log.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: Google redirect problem; Malware/infected registry value

Postby sule » Fri May 21, 2010 11:19 pm

I did just like you said in the last post but dragging the notepad onto the ComboFix just made it do another scan with the same results. Here is the log :
ComboFix 10-05-20.07 - suliman 21/05/2010 23:38:09.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.601 [GMT 1:00]
Running from: c:\documents and settings\suliman.ARSHAD\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\suliman.ARSHAD\My Documents\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\documents and settings\Suli\Start Menu\Programs\Startup\santa.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Suli\Start Menu\Programs\Startup\santa.bat
c:\windows\system32\2645108291.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JNV4_MIB
-------\Service_jnv4_mib


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-19 16:28 . 2010-05-19 16:28 -------- d--h--w- c:\documents and settings\suliman.ARSHAD\InstallAnywhere
2010-05-19 12:20 . 2010-05-19 12:23 -------- d-----w- C:\rsit
2010-05-19 11:03 . 2010-05-19 11:03 -------- d-----w- c:\program files\ERUNT
2010-05-03 23:14 . 2010-05-19 18:54 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Spotify
2010-05-03 23:14 . 2010-05-19 18:54 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Spotify
2010-05-02 16:16 . 2010-05-02 16:16 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Sports Interactive
2010-05-02 11:42 . 2010-05-02 11:55 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\QuickScan
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\acccore
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\AOL OCP
2010-05-02 04:36 . 2010-05-02 04:36 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\AOL
2010-05-01 00:30 . 2010-05-01 00:30 -------- d-----w- c:\program files\Trend Micro
2010-04-30 21:38 . 2010-05-21 23:02 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Tracing
2010-04-30 00:26 . 2010-04-30 00:26 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Opera
2010-04-30 00:12 . 2010-04-30 00:12 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\AdobeUM
2010-04-30 00:12 . 2010-04-30 00:12 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Adobe
2010-04-30 00:08 . 2010-04-30 00:08 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Mozilla
2010-04-30 00:00 . 2010-04-30 00:00 -------- d-sh--w- c:\documents and settings\suliman.ARSHAD\PrivacIE
2010-04-29 22:58 . 2010-04-29 22:58 90384 ----a-w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 22:57 . 2010-04-29 22:57 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\SupportSoft
2010-04-29 22:57 . 2010-04-29 22:57 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Malwarebytes
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----r- c:\program files\Norton Support
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Local Settings\Application Data\Symantec
2010-04-29 22:53 . 2010-04-29 22:53 -------- d-----w- c:\documents and settings\suliman.ARSHAD\Application Data\Logitech
2010-04-28 12:16 . 2010-04-28 12:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-28 11:17 . 2010-04-28 11:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\avG
2010-04-28 11:17 . 2010-04-28 11:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-25 16:20 . 2010-04-25 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive
2010-04-25 15:52 . 2008-10-10 03:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-04-25 15:45 . 2010-04-25 15:45 -------- d-----w- c:\windows\Logs
2010-04-25 15:28 . 2010-04-25 15:32 -------- d--h--w- c:\program files\Zero G Registry
2010-04-25 15:26 . 2010-04-25 15:26 -------- d--h--w- c:\documents and settings\Suli\InstallAnywhere
2010-04-25 12:13 . 2010-04-25 12:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 23:04 . 2007-02-25 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2010-05-19 11:12 . 2004-08-04 08:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-05-18 23:28 . 2009-02-20 02:30 -------- d-----w- c:\program files\Opera
2010-05-04 18:21 . 2008-11-30 11:14 200846 ----a-w- c:\program files\RuntimeSetup.exe
2010-05-04 18:21 . 2008-11-30 11:14 1068 ----a-w- c:\program files\runtimesetup.ini
2010-05-04 18:16 . 2008-11-30 11:04 -------- d-----w- c:\program files\i-assess
2010-05-02 03:09 . 2007-06-04 15:59 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-30 22:25 . 2010-04-30 21:43 344 ----a-w- c:\documents and settings\suliman.ARSHAD\Application Data\wklnhst.dat
2010-04-29 23:25 . 2008-04-12 19:00 -------- d-----w- c:\program files\Kontiki
2010-04-29 23:03 . 2004-11-19 00:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 23:03 . 2005-11-10 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2010-04-28 11:43 . 2004-08-04 00:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-27 21:06 . 2004-11-19 00:24 -------- d-----w- c:\program files\Common Files\Java
2010-04-27 21:05 . 2010-04-16 22:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-27 00:12 . 2006-11-04 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-04-26 03:37 . 2009-04-07 00:49 -------- d-----w- c:\documents and settings\Suli\Application Data\Spotify
2010-04-25 16:19 . 2009-01-20 17:34 -------- d-----w- c:\documents and settings\Suli\Application Data\Sports Interactive
2010-04-25 15:28 . 2006-10-25 12:03 -------- d-----w- c:\program files\Sports Interactive
2010-04-16 22:06 . 2004-11-19 00:24 -------- d-----w- c:\program files\Java
2010-04-14 17:53 . 2009-06-10 20:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2004-08-04 08:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2004-08-04 08:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-06-01 20:33 . 2009-06-01 20:33 3723256 ----a-w- c:\program files\channel4_on_demand.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"AGRSMMSG"="AGRSMMSG.exe" [2004-09-03 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 290816]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-14 180269]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-4-28 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2005-11-6 581632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\Supportsoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1139965684\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15058:TCP"= 15058:TCP:BitComet 15058 TCP
"15058:UDP"= 15058:UDP:BitComet 15058 UDP
"2656:UDP"= 2656:UDP:Windows Media Format SDK (napster.exe)
"2657:UDP"= 2657:UDP:Windows Media Format SDK (napster.exe)
"17936:TCP"= 17936:TCP:BitComet 17936 TCP
"17936:UDP"= 17936:UDP:BitComet 17936 UDP

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [14/04/2010 18:40 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [14/04/2010 18:40 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [14/04/2010 18:40 482432]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [14/04/2010 18:40 117640]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 16:19 202280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [15/01/2009 18:16 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [09/05/2009 22:30 101936]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys [08/06/2009 21:02 276344]
S3 EraserUtilDrv10910;EraserUtilDrv10910;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [?]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [20/10/2007 23:39 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [20/10/2007 23:39 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [20/10/2007 23:39 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [20/10/2007 23:39 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [20/10/2007 23:40 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [20/10/2007 23:39 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [20/10/2007 23:39 90800]
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2007-10-23 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 13:58]

2009-04-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-11-19 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: o2.co.uk\*.broadband
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\suliman.ARSHAD\Application Data\Mozilla\Firefox\Profiles\7zmprs3m.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Opera\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 00:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?9?3?1??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8666AD01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7672fc3
\Driver\ACPI -> ACPI.sys @ 0xf74e5cb8
\Driver\atapi -> atapi.sys @ 0xf747f7b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80578086
ParseProcedure -> ntkrnlpa.exe @ 0x80576ce8
NDIS: Realtek RTL8139 Family PCI Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf733dbc3
PacketIndicateHandler -> NDIS.sys @ 0xf732ba0b
SendHandler -> NDIS.sys @ 0xf733fb31
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\AGRSMMSG.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
c:\program files\AOL 9.0a\aoltray.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\O2\bin\sprtcmd.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-05-22 00:14:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 23:14
ComboFix2.txt 2010-05-21 01:23

Pre-Run: 26,495,295,488 bytes free
Post-Run: 26,575,949,824 bytes free

- - End Of File - - 72D87000824F65AAED5E83D2072C7743
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Sat May 22, 2010 3:45 pm

just made it do another scan with the same results

Its ok.

How is your PC working now ?
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: Google redirect problem; Malware/infected registry value

Postby sule » Wed May 26, 2010 6:55 pm

A little quicker than before but still having google links hijacked just less frequently. Malwarebytes still finds the same original malware on every restart.
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby sule » Fri May 28, 2010 12:07 am

Let me correct myself, its just as bad as before.
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Fri May 28, 2010 5:01 pm

Malwarebytes still finds the same original malware on every restart.

Only the entry:
Code: Select all
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

???


but still having google links hijacked

Both browsers (IE and firefox) ??

Download GMER Antirootkit from here.
Mirror location: here. This version will download a zip. If you use this mirror, please unzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. a1afk10a.exe) and allow the gmer.sys driver to load if asked.
For mirror version, double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Post a GMER log with your answer.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm

Re: Google redirect problem; Malware/infected registry value

Postby sule » Mon May 31, 2010 12:00 am

Yes its that same entry that doesnt seem to disappear.

And yes IE, Firefox, even Opera. And Google Chrome stopped working so I uninstalled it.

I tried what you told me to do with the GMER antirootkit twice and the same thing happened both times. It scans, tells me it has found rootkit activity and needs to restart then scans again. Upon the second time it scans I get a blue system error screen from my Windows saying it has found an drive error and then restarts before the GMER scan is complete
sule
 
Posts: 9
Joined: Sun May 02, 2010 11:54 am

Re: Google redirect problem; Malware/infected registry value

Postby patrik » Tue Jun 01, 2010 5:57 pm

Download TDSSKiller from here and unzip to your desktop.
Open tdsskiller folder and run TDSSKiller.
Follow the prompts.

If TDSSKiller will not run, please rename it to myapp.exe and try again!

Post back with a fresh Combofix log.
patrik
Site Admin
 
Posts: 9277
Joined: Sun Jan 08, 2006 1:11 pm


Return to Spyware Removal

Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests

cron