More google link redirecion issues
-
More google link redirecion issues
Like other folks, I've recently started having issues having links I click on google searches redirect me to other sites, usually random advertisement pages. Sometimes when in firefox, random tabs will open themselves, and pop ups will appear. I've also been getting windows messages about generic host processes needing to be shut down pretty often. I tried using chrome, but it just said it encountered an error before I could see my homepage 
I've installed spybot, and malwarebytes, and I've got AVG on my computer, but after running scans the issues haven't gone away. Any help is much appreciated. Here's the hijack this log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:36:54 PM, on 6/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\Philips\SPC230NC\Monitor.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FlashMute\FlashMute.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Philips\Philips SPC230NC Webcam\TrayMin230.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe
C:\Program Files\AVG\AVG9\avgupd.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrB kGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBa ttLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
O4 - HKLM\..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [FlashMute] C:\Program Files\FlashMute\FlashMute.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: TrayMin230.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: System Update - {DA320635-F48C-4613-8325-D75A933C549E} - C:\Program Files\Lenovo\System Update\sulauncher.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://drm1.reelsurvey.com/ePlayer/V...ACNePlayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Unknown owner - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 14712 bytes
-
STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes' Anti-Malware: Malwarebytes to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 2. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15281 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
RESTART COMPUTER
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Thanks for taking a look at this. The situation has been deteriorating a bit, I no longer seem to be able to connect to my wireless network, so I used a friends computer to copy over GMER, and the logs back over, with a USB drive.
Malwarebytes--Already had this installed, and had scanned recently, so the log below looks pretty empty. I can try to find an old log if that is helpful.
GMER--Had some issues with this. I got BSOD on first try, then tried again with Devices unchecked. It went well for a while, but towards the end of scanning the filesystem the system locked up. The log below is from running in safe mode. There were definitely more things that came up when I first ran it, not in safe mode, but hopefully this is still useful.
Malwarebytes' Anti-Malware 1.46
Malwarebytes
Database version: 4211
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
6/20/2010 6:41:16 PM
mbam-log-2010-06-20 (18-41-16).txt
Scan type: Quick scan
Objects scanned: 139056
Time elapsed: 17 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
------------------------------------------------
GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-21 01:54:30
Windows 5.1.2600 Service Pack 2
Running: bwcp7oe5.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\aftyaaod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF763387E]
SSDT spcf.sys ZwEnumerateKey [0xF74E3CA2]
SSDT spcf.sys ZwEnumerateValueKey [0xF74E4030]
SSDT spcf.sys ZwOpenKey [0xF74C60C0]
SSDT spcf.sys ZwQueryKey [0xF74E4108]
SSDT spcf.sys ZwQueryValueKey [0xF74E3F88]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7633BFE]
INT 0x62 ? 86FD4BF8
INT 0x74 ? 86ED2F00
INT 0x83 ? 86F62BF8
INT 0x83 ? 86ED2F00
INT 0x84 ? 86ED2F00
---- Kernel code sections - GMER 1.0.15 ----
? spcf.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\ACPIEC.sys entry point in ".rsrc" section [0xF7A01194]
.text USBPORT.SYS!DllUnload F70DF7AE 5 Bytes JMP 86ED24E0
.text afdh6ko2.SYS F6FEB384 1 Byte [20]
.text afdh6ko2.SYS F6FEB384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text afdh6ko2.SYS F6FEB3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text afdh6ko2.SYS F6FEB3C4 3 Bytes [00, 00, 00]
.text afdh6ko2.SYS F6FEB3C9 1 Byte [00]
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\svchost.exe[816] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\system32\svchost.exe[816] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 009E000A
.text C:\WINDOWS\Explorer.EXE[1388] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1388] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1388] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F655E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74F693C] spcf.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74F6990] spcf.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74C7040] spcf.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74C713C] spcf.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74C70BE] spcf.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74C77FC] spcf.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74C76D2] spcf.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86ED25E0
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74D6D92] spcf.sys
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlInitUnicodeString] 9252D2DB
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!swprintf] [804FC5C0] \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeSetEvent] 8E44C8C9
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoCreateSymbolicLink] A475EBF6
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoGetConfigurationInformation] AA7EE6FF
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] B863F1E4
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmFreeMappingAddress] B668FCED
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 0CB1670A
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 02BA6A03
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmUnmapIoSpace] 10A77D18
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 1EAC7011
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IofCompleteRequest] 349D532E
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 3A965E27
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IofCallDriver] 288B493C
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 26804435
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 7CE90F42
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoConnectInterrupt] 72E2024B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoDetachDevice] 60FF1550
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeWaitForSingleObject] 6EF41859
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInitializeEvent] 44C53B66
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 4ACE366F
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlInitAnsiString] 58D32174
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 56D82C7D
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoQueueWorkItem] 377A0CA1
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmMapIoSpace] 397101A8
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2B6C16B3
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoReportDetectedDevice] 25671BBA
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoReportResourceForDetection] 0F563885
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 015D358C
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!NlsMbCodePageTag] 13402297
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!PoRequestPowerIrp] 1D4B2F9E
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 472264E9
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 492969E0
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!sprintf] 5B347EFB
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 553F73F2
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ObfDereferenceObject] 7F0E50CD
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 71055DC4
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 63184ADF
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ZwClose] 6D1347D6
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] D7CADC31
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] D9C1D138
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CBDCC623
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!PoStartNextPowerIrp] C5D7CB2A
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!PoCallDriver] EFE6E815
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoCreateDevice] E1EDE51C
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] F3F0F207
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlQueryRegistryValues] FDFBFF0E
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ZwOpenKey] A792B479
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlFreeUnicodeString] A999B970
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoStartTimer] BB84AE6B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInitializeTimer] B58FA362
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoInitializeTimer] 9FBE805D
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInitializeDpc] 91B58D54
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInitializeSpinLock] 83A89A4F
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoInitializeIrp] 8DA39746
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ZwCreateKey] 00000063
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 0000007C
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 00000077
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ZwSetValueKey] 0000007B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000F2
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 0000006B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoStartPacket] 0000006F
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 000000C5
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 00000030
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoFreeMdl] 00000001
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmUnlockPages] 00000067
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 0000002B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 000000FE
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 000000D7
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 000000AB
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeSynchronizeExecution] 00000076
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoStartNextPacket] 000000CA
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeBugCheckEx] 00000082
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 000000C9
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeSetTimer] 0000007D
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeCancelTimer] 000000FA
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!_allmul] 00000059
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000047
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!_except_handler3] 000000F0
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!PoSetPowerState] 000000AD
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 000000D4
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 000000A2
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!_aulldiv] 000000AF
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!strstr] 0000009C
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!_strupr] 000000A4
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeQuerySystemTime] 00000072
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 000000C0
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!KeTickCount] 000000B7
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 000000FD
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoDeleteDevice] 00000093
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 00000026
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00000036
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAllocateIrp] 0000003F
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoAllocateMdl] 000000F7
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 000000CC
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00000034
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 000000A5
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 000000E5
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000F1
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoFreeIrp] 00000071
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!IoFreeWorkItem] 000000D8
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!InitSafeBootMode] 00000031
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlCompareMemory] 00000015
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 00000004
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!memmove] 000000C7
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[ntoskrnl.exe!MmHighestUserAddress] 00000023
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\afdh6ko2.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4@khjeh 0xE1 0x7C 0x1F 0x60 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF8 0x6E 0xF8 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19 659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khje h 0xFF 0x32 0xCB 0x67 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4@khjeh 0xE1 0x7C 0x1F 0x60 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001@khjeh 0xF8 0x6E 0xF8 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\196592 39224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFF 0x32 0xCB 0x67 ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\ACPIEC.sys suspicious modification
---- EOF - GMER 1.0.15 ----
-
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Please, never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Make sure, you re-enable your security programs, when you're done with Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
Thanks! Managed to run combofix not in safe mode, my internet connection seems to work ok again, I haven't tried too much yet but I didn't get redirected from the first couple links I clicked.
ComboFix 10-06-21.01 - Mike 06/22/2010 0:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.441 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\geyekrbyikkcvt.dat
c:\windows\system32\UACjkatmhycdywlcjfir.db
----- BITS: Possible infected sites -----
hxxp://au.download.windowsupdatj+|Cv+@J:NGD_DQ{zGD_DQ{zGD _DQ{zGD_DQ{z+@J:Nj+|Cv000-7B44-A93200000932}
Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack 
.
((((((((((((((((((((((((( Files Created from 2010-05-22 to 2010-06-22 )))))))))))))))))))))))))))))))
.
2010-06-15 03:22 . 2010-06-16 03:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-15 03:22 . 2010-06-15 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-15 02:56 . 2010-06-18 00:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-15 01:18 . 2010-06-15 01:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-15 01:17 . 2010-06-15 01:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-15 01:07 . 2010-06-15 01:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-15 01:06 . 2010-06-15 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-15 01:06 . 2010-06-15 01:08 -------- d-----w- c:\program files\Lavasoft
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2010-06-12 18:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-12 18:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 23:39 . 2010-06-11 23:39 -------- d-----w- c:\program files\AVG
2010-06-06 18:32 . 2010-06-11 23:12 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\ogyquyabd
2010-05-28 01:05 . 2010-05-28 01:06 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-06-22 04:11 . 2007-07-25 00:37 76288 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 04:59 . 2007-07-25 00:23 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-19 20:24 . 2007-07-25 00:15 -------- d-----w- c:\program files\PCDR5
2010-06-19 18:18 . 2007-08-13 14:56 -------- d-----w- c:\program files\Windows Live Toolbar
2010-06-11 23:10 . 2007-08-13 14:56 76288 -c--a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 23:09 . 2008-08-11 05:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-28 06:31 . 2010-02-02 02:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-21 04:58 . 2010-04-21 22:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-06 06:42 . 2009-02-24 02:46 -------- d-----w- c:\documents and settings\Mike\Application Data\gtk-2.0
2010-05-03 01:27 . 2008-10-13 23:07 -------- d-----w- c:\documents and settings\Mike\Application Data\dvdcss
2010-05-02 08:48 . 2008-07-10 05:16 -------- d-----w- c:\documents and settings\Mike\Application Data\uTorrent
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\1T ortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\2T ortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\3T ortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\4T ortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\5T ortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\6T ortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\7T ortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\8T ortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\9T ortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR .DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL " [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKM GR.exe" [2006-07-25 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe " [2006-07-04 110592]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Mo nitor.exe" [2007-12-10 323584]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor .exe" [2007-12-10 323584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 24576]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2008-12-15 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-01-17 16:51 486856 -c----w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-07 19:31 21633320 ------r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Philips\\Intelligent Agent\\Philips Intelligent Agent.exe"=
"c:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Eclipse\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Foxit Software\\Foxit Reader\\Foxit Reader.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"11476:TCP"= 11476:TCP:BitComet 11476 TCP
"11476:UDP"= 11476:UDP:BitComet 11476 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/14/2010 9:18 PM 64288]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/1/2003 7:27 PM 53248]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 7:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 6:55 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/25/2006 10:00 PM 3456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/8/2007 2:09 PM 24652]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [12/15/2008 11:45 PM 8576]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [12/15/2008 11:45 PM 461056]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/4/2008 1:15 AM 716272]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:46]
2010-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848391195-2397763145-3297269932-1008Core.job
- c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:26]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848391195-2397763145-3297269932-1008UA.job
- c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:26]
2010-06-22 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-07-25 16:13]
2010-06-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\6lalxtmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dl l
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
Notify-ACNotify - ACNotify.dll
Notify-avgrsstarter - (no file)
Notify-NavLogon - (no file)
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-22 01:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86E94EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75f7fc3
\Driver\ACPI -> ACPI.sys @ 0xf748acb8
\Driver\atapi -> atapi.sys @ 0xf73e87b4
\Driver\iaStor -> iaStor.sys @ 0xf731eb58
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel(R) PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71f5bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7202a21
SendHandler -> NDIS.sys @ 0xf71e087b
user & kernel MBR OK
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\WININET.dll
c:\windows\system32\vrlogon.dll
c:\windows\system32\tvt_gina.dll
c:\program files\Lenovo\Client Security Solution\css_gina_plugin.dll
c:\program files\Lenovo\Client Security Solution\css_wait_bar.dll
c:\program files\Lenovo\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\program files\Common Files\Lenovo\tvt_banner.dll
c:\program files\Lenovo\Client Security Solution\cssdlgpwentry.dll
c:\program files\Lenovo\Client Security Solution\dlganswerprompt.dll
c:\program files\Lenovo\Client Security Solution\tvttsp.dll
c:\program files\Lenovo\Client Security Solution\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_res.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\VTI.DLL
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
- - - - - - - > 'lsass.exe'(1408)
c:\windows\system32\WININET.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
- - - - - - - > 'explorer.exe'(4728)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\FlashMute\mutelib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\TpShocks.exe
c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
************************************************** ************************
.
Completion time: 2010-06-22 01:18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-22 05:18
Pre-Run: 12,883,910,656 bytes free
Post-Run: 13,208,092,672 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - F59948ACF19DF86ABC8A4F90D88649BF
-
Very good 
Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.
================================================== ===========
Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below
Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
-
-
Please, delete your Combofix file, download fresh one, run it and post new log.
-
Here's the new log:
ComboFix 10-06-22.02 - Mike 06/22/2010 22:57:32.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.443 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-23 02:27 . 2010-06-23 02:27 -------- d-----w- c:\windows\LastGood
2010-06-15 03:22 . 2010-06-16 03:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-15 03:22 . 2010-06-15 12:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-15 02:56 . 2010-06-18 00:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-15 01:18 . 2010-06-15 01:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-15 01:17 . 2010-06-15 01:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-15 01:07 . 2010-06-15 01:08 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-15 01:07 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-15 01:06 . 2010-06-15 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-15 01:06 . 2010-06-15 01:08 -------- d-----w- c:\program files\Lavasoft
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2010-06-12 18:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-12 18:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-12 18:03 . 2010-06-12 18:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 23:39 . 2010-06-11 23:39 -------- d-----w- c:\program files\AVG
2010-06-06 18:32 . 2010-06-11 23:12 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\ogyquyabd
2010-05-28 01:05 . 2010-05-28 01:06 -------- d-----w- c:\program files\CCleaner
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-06-22 05:37 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\ACPIEC.sys
2010-06-22 05:33 . 2007-08-22 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-06-22 04:11 . 2007-07-25 00:37 76288 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-20 04:59 . 2007-07-25 00:23 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-06-19 20:24 . 2007-07-25 00:15 -------- d-----w- c:\program files\PCDR5
2010-06-19 18:18 . 2007-08-13 14:56 -------- d-----w- c:\program files\Windows Live Toolbar
2010-06-11 23:10 . 2007-08-13 14:56 76288 -c--a-w- c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-11 23:09 . 2008-08-11 05:38 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-28 06:31 . 2010-02-02 02:29 -------- d-----w- c:\program files\Common Files\Intuit
2010-05-21 04:58 . 2010-04-21 22:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-07 16:55 . 2010-05-07 16:55 255472 ----a-w- c:\documents and settings\Mike\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-06 06:42 . 2009-02-24 02:46 -------- d-----w- c:\documents and settings\Mike\Application Data\gtk-2.0
2010-05-03 01:27 . 2008-10-13 23:07 -------- d-----w- c:\documents and settings\Mike\Application Data\dvdcss
2010-05-02 08:48 . 2008-07-10 05:16 -------- d-----w- c:\documents and settings\Mike\Application Data\uTorrent
2010-04-01 17:50 . 2010-04-01 17:50 532480 ----a-w- c:\documents and settings\Mike\Application Data\Notepad++\plugins\config\plugin_install_temp\ plugin1\plugins\PluginManager.dll
2010-04-01 17:50 . 2010-04-01 17:50 401408 ----a-w- c:\documents and settings\Mike\Application Data\Notepad++\plugins\config\plugin_install_temp\ plugin1\updater\gpup.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\1T ortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\2T ortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\3T ortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\4T ortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\5T ortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\6T ortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\7T ortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\8T ortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\9T ortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 22:52 80384 ------w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Google Update"="c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"FlashMute"="c:\program files\FlashMute\FlashMute.exe" [2006-03-11 221184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR .DLL" [2006-05-25 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL " [2006-05-25 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp .Exe" [2006-02-23 237568]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"TpShocks"="TpShocks.exe" [2006-03-16 106496]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKM GR.exe" [2006-07-25 94208]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe " [2006-07-04 110592]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-08-16 69632]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-20 286720]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Mo nitor.exe" [2007-12-10 323584]
"SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor .exe" [2007-12-10 323584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-24 24576]
TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2008-12-15 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w- c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Mike^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Mike\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-01-17 16:51 486856 -c----w- c:\program files\DAEMON Tools Lite\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-11-07 19:31 21633320 ------r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Philips\\Intelligent Agent\\Philips Intelligent Agent.exe"=
"c:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Mike\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Eclipse\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\cygwin\\bin\\XWin.exe"=
"c:\\Program Files\\Foxit Software\\Foxit Reader\\Foxit Reader.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"11476:TCP"= 11476:TCP:BitComet 11476 TCP
"11476:UDP"= 11476:UDP:BitComet 11476 UDP
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/14/2010 9:18 PM 64288]
R2 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/1/2003 7:27 PM 53248]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/13/2006 7:05 PM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 6:55 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/25/2006 10:00 PM 3456]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [12/15/2008 11:45 PM 8576]
S3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [12/15/2008 11:45 PM 461056]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/4/2008 1:15 AM 716272]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - KLMDB
*Deregistered* - klmdb
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 00:46]
2010-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
2010-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848391195-2397763145-3297269932-1008Core.job
- c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:26]
2010-06-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3848391195-2397763145-3297269932-1008UA.job
- c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 04:26]
2010-06-23 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-07-25 16:13]
2010-06-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-25 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} - hxxp://drm1.reelsurvey.com/ePlayer/V3_2_0_0/ACNePlayer.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\6lalxtmu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\documents and settings\Mike\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Mike\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dl l
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_every where__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_bro ken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-klmdb.sys
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-06-22 23:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\vrlogon.dll
c:\windows\system32\tvt_gina.dll
c:\program files\Lenovo\Client Security Solution\css_gina_plugin.dll
c:\program files\Lenovo\Client Security Solution\css_wait_bar.dll
c:\program files\Lenovo\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\program files\Common Files\Lenovo\tvt_banner.dll
c:\program files\Lenovo\Client Security Solution\cssdlgpwentry.dll
c:\program files\Lenovo\Client Security Solution\dlganswerprompt.dll
c:\program files\Lenovo\Client Security Solution\tvttsp.dll
c:\program files\Lenovo\Client Security Solution\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_res.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\VTI.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
c:\windows\system32\notifyf2.dll
- - - - - - - > 'lsass.exe'(1400)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
- - - - - - - > 'explorer.exe'(3580)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-22 23:09:25
ComboFix-quarantined-files.txt 2010-06-23 03:09
ComboFix2.txt 2010-06-22 05:18
Pre-Run: 13,035,917,312 bytes free
Post-Run: 13,027,418,112 bytes free
- - End Of File - - 31769DAEB6D3DCBBC04E5F9DC54E0DA1
-
Good
How is your computer doing at the moment?
Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.
================================================== =============
Download OTL to your Desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:
netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT
* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Newbie
078 1520 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
