PDA

View Full Version : Redirection



voolak
2009-04-16, 18:40
When I search in google sometimes I get redirected to some sites which are always the same. Thanks for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:01 AM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O20 - AppInit_DLLs: towpek.dll c:\windows\system32\larihisu.dll c:\windows\system32\binosino.dll,C:\WINDOWS\system32\senifetu.dll
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6752 bytes

[I]
Previous topic: http://forums.spybot.info/showthread.php?t=45791&page=3

Shaba
2009-04-18, 15:47
Hi voolak

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

voolak
2009-04-18, 17:08
ComboFix 09-04-18.05 - Divilov 04/18/2009 9:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1625 [GMT -4:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\senekahatydelv.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\senekactlmogvi.dat
c:\windows\system32\senekajeucyymp.dat
c:\windows\system32\senekamckapfen.dll
c:\windows\system32\senekatetdmqlt.dll
c:\windows\system32\senekautdottqp.dll
c:\windows\system32\tofayava.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 14:24 . 2009-04-16 15:24 20480 ----a-w c:\windows\system32\ak1.exe
2009-04-16 14:22 . 2009-04-16 14:22 118 ----a-w c:\windows\system32\MRT.INI
2009-04-16 14:03 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 14:03 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 14:03 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 14:03 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 14:03 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 14:03 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 14:03 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 14:03 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 14:03 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 14:02 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 14:02 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 14:02 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:55 . 2009-04-15 17:40 81920 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-06 02:39 . 2008-04-14 00:12 218624 ----a-w c:\windows\system32\uxtheme.backup
2009-04-02 01:56 . 2009-04-02 01:56 -------- d-----w c:\documents and settings\Divilov\Application Data\Eltima Software
2009-03-22 18:12 . 2009-03-22 18:12 -------- d-----w c:\documents and settings\Divilov\Application Data\SPSSInc
2009-03-22 17:30 . 2009-03-22 17:30 -------- d-----w c:\documents and settings\Divilov\.spss
2009-03-22 17:28 . 2009-04-11 15:30 114 ----a-w c:\windows\system32\prsgrc.tgz
2009-03-22 17:28 . 2009-03-22 17:28 1024 ----a-w c:\windows\system32\grcauth2.dll
2009-03-22 17:28 . 2009-03-22 17:28 1024 ----a-w c:\windows\system32\grcauth1.dll
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\documents and settings\All Users\Application Data\SPSS
2009-03-22 17:27 . 2009-03-22 17:27 219 ----a-w c:\windows\system32\lsprst7.tgz
2009-03-22 17:27 . 2009-03-22 17:27 16 ---h--w c:\windows\system32\servdat.slm
2009-03-22 17:27 . 2009-03-22 17:27 1025 ----a-w c:\windows\system32\sysprs7.tgz
2009-03-22 17:27 . 2009-03-22 17:27 1025 ----a-w c:\windows\system32\sysprs7.dll
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 13:56 . 2007-12-30 01:44 532 ----a-w C:\RTHDCPL_Dump.txt
2009-04-08 00:22 . 2009-04-08 00:21 -------- d-----w c:\program files\WinPcap
2009-04-08 00:19 . 2007-07-21 06:22 95408 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 00:19 . 2009-04-08 00:19 -------- d-----w c:\program files\LM Studio
2009-04-05 23:22 . 2008-05-24 05:15 -------- d-----w c:\program files\JDown
2009-04-05 04:47 . 2008-08-08 03:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-01 02:01 . 2009-04-01 02:01 -------- d-----w c:\program files\Alcohol Soft
2009-04-01 00:33 . 2008-01-02 19:39 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-30 16:45 . 2007-12-28 11:39 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 16:24 . 2008-05-26 20:57 -------- d-----w c:\program files\Fraps
2009-03-30 12:31 . 2007-07-21 02:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\program files\Common Files\SPSS
2009-03-22 17:27 . 2009-03-22 17:27 -------- d-----w c:\program files\SPSSInc
2009-03-21 15:29 . 2009-03-21 15:29 -------- d-----w c:\program files\VALVe
2009-03-20 01:22 . 2009-03-20 01:22 -------- d-----w c:\program files\DAMN NFO Viewer
2009-03-19 23:00 . 2008-06-20 20:18 -------- d-----w c:\documents and settings\Divilov\Application Data\uTorrent
2009-03-19 01:15 . 2009-03-19 01:15 -------- d-----w c:\program files\Azure Gaming
2009-03-18 03:42 . 2009-03-18 03:42 -------- d-----w c:\documents and settings\All Users\Application Data\WotT
2009-03-16 03:58 . 2009-03-16 03:58 115936 ----a-w c:\windows\system32\drivers\prodrv03.sys
2009-03-11 00:20 . 2008-01-20 17:43 -------- d-----w c:\program files\PB
2009-03-10 23:25 . 2008-01-14 03:55 -------- d-----w c:\program files\DAEMON Tools Pro
2009-03-06 14:22 . 2008-08-31 11:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 19:31 . 2008-02-04 21:24 79268 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-03 00:18 . 2007-02-20 09:52 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 23:05 . 2009-03-02 23:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-02 16:53 . 2009-03-02 16:53 -------- d-----w c:\documents and settings\Divilov\Application Data\Foxit
2009-03-01 20:17 . 2009-03-01 20:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 20:17 . 2007-12-27 18:14 -------- d-----w c:\program files\Java
2009-02-24 19:36 . 2009-02-24 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-20 18:09 . 2008-08-31 11:57 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 03:46 . 2008-08-06 10:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 12:54 . 2009-02-19 12:54 -------- d-----w c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-18 15:07 . 2009-02-18 15:07 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-12 15:07 . 2009-01-14 15:26 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-12 15:07 . 2009-01-14 15:26 110592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-09 12:10 . 2008-08-31 11:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-31 11:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-31 11:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-08-31 11:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2008-08-31 11:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-31 11:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-31 11:56 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 05:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-31 11:56 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-08-31 11:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-28 14:57 . 2009-01-28 14:57 77060 ----a-w C:\svf_info.txt
2009-01-26 17:27 . 2008-03-17 22:59 202032 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-23 06:02 . 2008-01-19 02:01 22328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-23 06:01 . 2008-03-17 22:59 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-23 06:01 . 2008-04-12 22:35 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-01-23 01:17 . 2009-01-23 01:17 42320 ----a-w c:\windows\system32\xfcodec.dll
2007-12-27 18:09 . 2007-12-27 18:09 130 ----a-w c:\documents and settings\Divilov\Local Settings\Application Data\fusioncache.dat
2007-07-21 06:22 . 2007-12-27 18:08 68456 ----a-w c:\documents and settings\Divilov\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-17 16:46 . 2009-01-17 16:46 48640 --sha-w c:\windows\system32\dofimete.dll.tmp
2009-01-16 16:03 . 2009-01-16 16:03 48640 --sha-w c:\windows\system32\gakikedo.dll.tmp
2009-01-16 16:03 . 2009-01-16 16:03 48640 --sha-w c:\windows\system32\gurawubo.dll.tmp
2009-01-17 16:46 . 2009-01-17 16:46 48640 --sha-w c:\windows\system32\hezubuti.dll.tmp
2009-01-16 16:03 . 2009-01-16 16:03 48640 --sha-w c:\windows\system32\hobokuzu.dll.tmp
2009-01-15 14:39 . 2009-01-15 14:39 48640 --sha-w c:\windows\system32\pozayeda.dll.tmp
2009-01-15 14:39 . 2009-01-15 14:39 48640 --sha-w c:\windows\system32\seduvumo.dll.tmp
2009-01-15 14:39 . 2009-01-15 14:39 48640 --sha-w c:\windows\system32\tobuvuzi.dll.tmp
2009-01-17 16:46 . 2009-01-17 16:46 48640 --sha-w c:\windows\system32\wewusigo.dll.tmp
2008-08-31 16:04 . 2008-08-31 16:04 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
R3 FStarForce;FStarForce;c:\windows\system32\DRIVERS\FStarForce.sys [2009-01-01 8192]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
S1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [2009-03-16 115936]
S2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S2 netlimiter;netlimiter;c:\windows\system32\drivers\netlimiter.sys [2006-10-03 18072]
S2 netlock;netlock;c:\windows\system32\drivers\netlock.sys [2007-05-30 14616]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-13 15640]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-09 10944]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-15 20:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 09:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthdyirjxbqbruvooetoirfopxlbcyavyqm.sys 83968 bytes executable
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthrchtibpxcd.tmp 133632 bytes executable
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsth000 0 bytes
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthkpfvramrdy.tmp 343040 bytes executable
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthndevjkisho.tmp 107520 bytes executable
c:\windows\system32\ovfsthomimpemcnatgjaqbeciqqolalhclmafp.dll 18944 bytes executable
c:\windows\system32\ovfsthpatlvnuaaswefbomylnvulewrlgdlxas.dat 48414 bytes
c:\windows\system32\ovfsthpwumalopkgvkdqhexxjxisktymoypyqf.dat 43 bytes
c:\windows\system32\ovfsthqlhslpdiutkrmyxvrodunwhopxgscjcw.dll 60928 bytes executable
c:\windows\system32\ovfsthwhbewnkfimwcbqtuxunkrfwsujdqxrqh.dll 18432 bytes executable

scan completed successfully
hidden files: 10

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthjnvdokwpdwehwaivkipxbbuttesibgkv]
"imagepath"="\systemroot\system32\drivers\ovfsthdyirjxbqbruvooetoirfopxlbcyavyqm.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\seneka]
"imagepath"="\systemroot\system32\drivers\senekahatydelv.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\windows\system32\rundll32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\acer\LANScope Agent\lockkm.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-04-18 10:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 14:00

Pre-Run: 38,776,360,960 bytes free
Post-Run: 38,792,622,080 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
262 --- E O F --- 2009-04-18 13:58



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:25 AM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6491 bytes


By the way I didn't want to double post earlier but in addition to the redirection I have been getting popups and some weird grey boxes as shown below.

http://img201.imageshack.us/img201/6301/greyj.gif

voolak
2009-04-18, 17:32
Also redirection is still there

Shaba
2009-04-18, 17:32
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

voolak
2009-04-18, 19:59
7.62
Acer eAcoustics Management
Acer eDataSecurity Management
Acer eDataSecurity Management 2.0.4093
Acer Empowering Technology
Acer ePerformance Management
Acer eProtection
Acer eSettings Management
Acer LANScope Agent
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AMD Processor Driver
ATI Display Driver
AutoHotkey 1.0.47.06
Azure Gaming: Lineage II (Full Client)
Azure Gaming: Lineage II (Updater)
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
CCleaner (remove only)
Counter-Strike: Source Texture Pack 1.00
CSS FULL DZ [Oct 15 2007] v18.1
ESET Smart Security
Foxit Reader
Fraps (remove only)
Free YouTube to Mp3 Converter version 3.1
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB961118)
Java(TM) 6 Update 12
LineAge Utils
Malwarebytes' Anti-Malware
MATLAB Family of Products Release 14
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.8)
Mozilla Thunderbird (2.0.0.21)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA PhysX v8.10.17
OCA Client history tool install
OpenAL
PunkBuster Services
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sony Vegas Pro 8.0
Spelling Dictionaries Support For Adobe Reader 8
SPSS Statistics 17.0
Spybot - Search & Destroy
SWF & FLV Player 3.0 (build 3.0.33.5106)
System Requirements Lab
The Longest Journey
Trillian
Tweak UI
Unlocker 1.8.7
Update for Windows XP (KB967715)
Ventrilo Client
VentriloMIX
VeohTV BETA
VobSub v2.23 (Remove Only)
Winamp
Windows Imaging Component
Windows Media Format Runtime
Windows Presentation Foundation
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
Xfire (remove only)
Xvid 1.1.3 final uninstall

Shaba
2009-04-18, 20:14
Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\dofimete.dll.tmp
c:\windows\system32\gakikedo.dll.tmp
c:\windows\system32\gurawubo.dll.tmp
c:\windows\system32\hezubuti.dll.tmp
c:\windows\system32\hobokuzu.dll.tmp
c:\windows\system32\pozayeda.dll.tmp
c:\windows\system32\seduvumo.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\wewusigo.dll.tmp

Rootkit::
c:\windows\system32\drivers\ovfsthdyirjxbqbruvooetoirfopxlbcyavyqm.sys
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthrchtibpxcd.tmp
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsth000
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthkpfvramrdy.tmp
c:\docume~1\Divilov\LOCALS~1\Temp\ovfsthndevjkisho.tmp
c:\windows\system32\ovfsthomimpemcnatgjaqbeciqqolalhclmafp.dll
c:\windows\system32\ovfsthpatlvnuaaswefbomylnvulewrlgdlxas.dat
c:\windows\system32\ovfsthpwumalopkgvkdqhexxjxisktymoypyqf.dat
c:\windows\system32\ovfsthqlhslpdiutkrmyxvrodunwhopxgscjcw.dll
c:\windows\system32\ovfsthwhbewnkfimwcbqtuxunkrfwsujdqxrqh.dll

Folder::
c:\documents and settings\Divilov\Application Data\uTorrent
c:\Program Files\uTorrent

Driver::
ovfsthjnvdokwpdwehwaivkipxbbuttesibgkv
seneka

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

voolak
2009-04-18, 20:51
ComboFix 09-04-19.01 - Divilov 04/18/2009 13:41.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1623 [GMT -4:00]
Running from: c:\documents and settings\Divilov\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Divilov\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\dofimete.dll.tmp
c:\windows\system32\gakikedo.dll.tmp
c:\windows\system32\gurawubo.dll.tmp
c:\windows\system32\hezubuti.dll.tmp
c:\windows\system32\hobokuzu.dll.tmp
c:\windows\system32\pozayeda.dll.tmp
c:\windows\system32\seduvumo.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\wewusigo.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Divilov\Application Data\uTorrent
c:\documents and settings\Divilov\Application Data\uTorrent\2007 Best Remixes.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Arcanum.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Counter-Strike Source FULL [October 15 2007] DiGiTALZonE.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Dark Sector CrackFix.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\DF.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\dht.dat
c:\documents and settings\Divilov\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Divilov\Application Data\uTorrent\DnLInstall.exe.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Eye Training [PC.CD][English][www.zonatorrent.com].torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Fallout 2.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\fraps2.9.8.EXE.1.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\fraps2.9.8.EXE.2.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\fraps2.9.8.EXE.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Hacker.Evolution[2007][PCGame]-ZeeForge.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Mercenaries.2.World.In.Flames.Crackfix-RELOADED.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\MIRC.v6.31.KeyMaker.and.AuthPatch.Only-DVT.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Mirrors.Edge.Update.Crack.1.01-RELOADED.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\PCSX2-0.9.4.1.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\PCSX2-0.9.4.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Perfect World International.zip.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\psx2_bios.rar.1.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\psx2_bios.rar.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\R3AP3R100HD2.rar.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\resume.dat
c:\documents and settings\Divilov\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Divilov\Application Data\uTorrent\rss.dat
c:\documents and settings\Divilov\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Divilov\Application Data\uTorrent\settings.dat
c:\documents and settings\Divilov\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Divilov\Application Data\uTorrent\Space.Siege-RELOADED.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Supreme.Ruler.2020-SKIDROW.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\The Rosetta Stone SFX.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\The.Fall.Last.Days.Of.Gaia.Extended.English.Mod.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\Tom Clancy Rainbow Six Vegas 2 Keygen Serial Only.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\utorrent.lng
c:\documents and settings\Divilov\Application Data\uTorrent\VA-The Best Of Techno Vol.1-2008-.www.lokotorrents.com.torrent
c:\documents and settings\Divilov\Application Data\uTorrent\X9B2yjlC_runesofmagic_open_beta.rar.torrent
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\windows\system32\basesrv.dll
c:\windows\system32\dofimete.dll.tmp
c:\windows\system32\drivers\ovfsthdyirjxbqbruvooetoirfopxlbcyavyqm.sys
c:\windows\system32\gakikedo.dll.tmp
c:\windows\system32\gurawubo.dll.tmp
c:\windows\system32\hezubuti.dll.tmp
c:\windows\system32\hobokuzu.dll.tmp
c:\windows\system32\ovfsthomimpemcnatgjaqbeciqqolalhclmafp.dll
c:\windows\system32\ovfsthpatlvnuaaswefbomylnvulewrlgdlxas.dat
c:\windows\system32\ovfsthpwumalopkgvkdqhexxjxisktymoypyqf.dat
c:\windows\system32\ovfsthqlhslpdiutkrmyxvrodunwhopxgscjcw.dll
c:\windows\system32\ovfsthwhbewnkfimwcbqtuxunkrfwsujdqxrqh.dll
c:\windows\system32\pozayeda.dll.tmp
c:\windows\system32\seduvumo.dll.tmp
c:\windows\system32\tobuvuzi.dll.tmp
c:\windows\system32\wewusigo.dll.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthjnvdokwpdwehwaivkipxbbuttesibgkv


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-16 14:24 . 2009-04-16 15:24 20480 ----a-w c:\windows\system32\ak1.exe
2009-04-16 14:22 . 2009-04-16 14:22 118 ----a-w c:\windows\system32\MRT.INI
2009-04-16 14:03 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 14:03 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 14:03 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 14:03 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 14:03 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 14:03 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 14:03 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 14:03 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 14:03 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 14:02 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 14:02 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 14:02 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 15:55 . 2009-04-15 17:40 81920 ----a-w c:\windows\system32\ftp_non_crp.exe
2009-04-06 02:39 . 2008-04-14 00:12 218624 ----a-w c:\windows\system32\uxtheme.backup
2009-04-02 01:56 . 2009-04-02 01:56 -------- d-----w c:\documents and settings\Divilov\Application Data\Eltima Software
2009-03-22 18:12 . 2009-03-22 18:12 -------- d-----w c:\documents and settings\Divilov\Application Data\SPSSInc
2009-03-22 17:30 . 2009-03-22 17:30 -------- d-----w c:\documents and settings\Divilov\.spss
2009-03-22 17:28 . 2009-04-11 15:30 114 ----a-w c:\windows\system32\prsgrc.tgz
2009-03-22 17:28 . 2009-03-22 17:28 1024 ----a-w c:\windows\system32\grcauth2.dll
2009-03-22 17:28 . 2009-03-22 17:28 1024 ----a-w c:\windows\system32\grcauth1.dll
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\documents and settings\All Users\Application Data\SafeNet Sentinel
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\documents and settings\All Users\Application Data\SPSS
2009-03-22 17:27 . 2009-03-22 17:27 219 ----a-w c:\windows\system32\lsprst7.tgz
2009-03-22 17:27 . 2009-03-22 17:27 16 ---h--w c:\windows\system32\servdat.slm
2009-03-22 17:27 . 2009-03-22 17:27 1025 ----a-w c:\windows\system32\sysprs7.tgz
2009-03-22 17:27 . 2009-03-22 17:27 1025 ----a-w c:\windows\system32\sysprs7.dll
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 17:45 . 2007-12-30 01:44 532 ----a-w C:\RTHDCPL_Dump.txt
2009-04-08 00:22 . 2009-04-08 00:21 -------- d-----w c:\program files\WinPcap
2009-04-08 00:19 . 2007-07-21 06:22 95408 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 00:19 . 2009-04-08 00:19 -------- d-----w c:\program files\LM Studio
2009-04-05 23:22 . 2008-05-24 05:15 -------- d-----w c:\program files\JDown
2009-04-05 04:47 . 2008-08-08 03:54 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-01 02:01 . 2009-04-01 02:01 -------- d-----w c:\program files\Alcohol Soft
2009-04-01 00:33 . 2008-01-02 19:39 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-30 16:45 . 2007-12-28 11:39 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 16:24 . 2008-05-26 20:57 -------- d-----w c:\program files\Fraps
2009-03-30 12:31 . 2007-07-21 02:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-22 17:28 . 2009-03-22 17:28 -------- d-----w c:\program files\Common Files\SPSS
2009-03-22 17:27 . 2009-03-22 17:27 -------- d-----w c:\program files\SPSSInc
2009-03-21 15:29 . 2009-03-21 15:29 -------- d-----w c:\program files\VALVe
2009-03-20 01:22 . 2009-03-20 01:22 -------- d-----w c:\program files\DAMN NFO Viewer
2009-03-19 01:15 . 2009-03-19 01:15 -------- d-----w c:\program files\Azure Gaming
2009-03-18 03:42 . 2009-03-18 03:42 -------- d-----w c:\documents and settings\All Users\Application Data\WotT
2009-03-16 03:58 . 2009-03-16 03:58 115936 ----a-w c:\windows\system32\drivers\prodrv03.sys
2009-03-11 00:20 . 2008-01-20 17:43 -------- d-----w c:\program files\PB
2009-03-10 23:25 . 2008-01-14 03:55 -------- d-----w c:\program files\DAEMON Tools Pro
2009-03-06 14:22 . 2008-08-31 11:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 19:31 . 2008-02-04 21:24 79268 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-03 00:18 . 2007-02-20 09:52 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 23:05 . 2009-03-02 23:05 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-02 16:53 . 2009-03-02 16:53 -------- d-----w c:\documents and settings\Divilov\Application Data\Foxit
2009-03-01 20:17 . 2009-03-01 20:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-01 20:17 . 2007-12-27 18:14 -------- d-----w c:\program files\Java
2009-02-24 19:36 . 2009-02-24 19:36 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-02-20 18:09 . 2008-08-31 11:57 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 03:46 . 2008-08-06 10:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 12:54 . 2009-02-19 12:54 -------- d-----w c:\documents and settings\Divilov\Application Data\Malwarebytes
2009-02-18 15:07 . 2009-02-18 15:07 -------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-02-12 15:07 . 2009-01-14 15:26 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-02-12 15:07 . 2009-01-14 15:26 110592 ----a-w c:\windows\system32\OpenAL32.dll
2009-02-09 12:10 . 2008-08-31 11:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-08-31 11:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-08-31 11:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-08-31 11:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2008-08-31 11:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2008-08-31 11:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-08-31 11:56 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 05:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-08-31 11:56 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-08-31 11:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-28 14:57 . 2009-01-28 14:57 77060 ----a-w C:\svf_info.txt
2009-01-26 17:27 . 2008-03-17 22:59 202032 ----a-w c:\windows\system32\PnkBstrB.exe
2009-01-23 06:02 . 2008-01-19 02:01 22328 ----a-w c:\documents and settings\Divilov\Application Data\PnkBstrK.sys
2009-01-23 06:01 . 2008-03-17 22:59 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-01-23 06:01 . 2008-04-12 22:35 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-01-23 01:17 . 2009-01-23 01:17 42320 ----a-w c:\windows\system32\xfcodec.dll
2007-12-27 18:09 . 2007-12-27 18:09 130 ----a-w c:\documents and settings\Divilov\Local Settings\Application Data\fusioncache.dat
2007-07-21 06:22 . 2007-12-27 18:08 68456 ----a-w c:\documents and settings\Divilov\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-31 16:04 . 2008-08-31 16:04 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008083120080901\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-18_13.57.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 17:45 . 2009-04-18 17:45 16384 c:\windows\temp\Perflib_Perfdata_6e8.dat
+ 2008-08-31 11:56 . 2008-04-14 00:11 52736 c:\windows\system32\dllcache\basesrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-01 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-12-20 16860672]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe [2005-02-15 81920]
R3 FStarForce;FStarForce;c:\windows\system32\DRIVERS\FStarForce.sys [2009-01-01 8192]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
S1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2007-08-27 26768]
S1 prodrv03;Star Force copy protection driver v3;c:\windows\system32\drivers\prodrv03.sys [2009-03-16 115936]
S2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
S2 netlimiter;netlimiter;c:\windows\system32\drivers\netlimiter.sys [2006-10-03 18072]
S2 netlock;netlock;c:\windows\system32\drivers\netlock.sys [2007-05-30 14616]
S2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-06-13 15640]
S2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-11-09 10944]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-02-15 20:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - component: c:\documents and settings\Divilov\Application Data\Mozilla\Firefox\Profiles\4wbj4hia.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 13:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ovfsthjnvdokwpdwehwaivkipxbbuttesibgkv]
"imagepath"="\systemroot\system32\drivers\ovfsthdyirjxbqbruvooetoirfopxlbcyavyqm.sys"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c2,2b,07,7a,e3,7d,53,ec,63,47,d5,a7,1f,c2,14,36,dc,c0,ac,d0,50,79,a9,
e1,e3,62,d0,53,33,cf,85,a8,90,95,32,4d,42,70,70,a3,66,59,ef,6b,ea,59,c5,54,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1269103037-3874296902-2670244853-1008\Software\SecuROM\License information*]
"datasecu"=hex:df,e5,ea,76,71,90,73,86,f2,3b,64,e1,44,75,32,48,0e,0d,17,d9,a4,
7d,9d,b1,b2,f8,5f,13,8a,bd,a1,55,fd,d0,43,89,5a,c2,94,27,4f,b8,86,97,26,e7,\
"rkeysecu"=hex:65,18,48,8e,28,49,90,6b,b5,75,cc,af,3d,1e,4d,fa
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1332)
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\matlab\webserver\bin\win32\matlabserver.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\nvsvc32.exe
c:\matlab\bin\win32\MATLAB.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-18 13:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 17:49
ComboFix2.txt 2009-04-18 14:00

Pre-Run: 38,777,741,312 bytes free
Post-Run: 38,761,951,232 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
304 --- E O F --- 2009-04-18 13:58




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:40 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6457 bytes

Shaba
2009-04-18, 21:43
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

voolak
2009-04-19, 03:09
I think you meant the "rootkit/malware" tab not the "rootkit" tab.

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-18 20:08:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spap.sys ZwCreateKey [0xBA6A80E0]
SSDT spap.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spap.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spap.sys ZwOpenKey [0xBA6A80C0]
SSDT spap.sys ZwQueryKey [0xBA6C7108]
SSDT spap.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spap.sys ZwSetValueKey [0xBA6C719A]

INT 0x73 ? 8A2A7F00
INT 0x73 ? 8A2A7F00
INT 0x83 ? 8A414BF8
INT 0xA4 ? 8A2A7F00
INT 0xB4 ? 8A2A7F00

Code \??\C:\DOCUME~1\Divilov\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? spap.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B7E2B8AC 5 Bytes JMP 8A2A74E0
.text ahp5rsag.SYS B7D83384 1 Byte [20]
.text ahp5rsag.SYS B7D83384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text ahp5rsag.SYS B7D833AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text ahp5rsag.SYS B7D833C4 3 Bytes [00, 00, 00]
.text ahp5rsag.SYS B7D833C9 1 Byte [00]
.text ...
? C:\DOCUME~1\Divilov\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1584] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spap.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spap.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spap.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spap.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spap.sys
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT \SystemRoot\System32\Drivers\ahp5rsag.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spap.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A4131F8

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Ip netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)

Device \Driver\usbohci \Device\USBPDO-0 8A2A51F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A3A31F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A3A31F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A3A31F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A3A31F8
Device \Driver\usbohci \Device\USBPDO-1 8A2A51F8
Device \Driver\prodrv03 \Device\ProDrv03 891128B8
Device \Driver\usbohci \Device\USBPDO-2 8A2A51F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2BF819BC-5DA0-4F6F-8FBE-1A9BD07A90C7} netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
Device \Driver\NetBT \Device\NetBT_Tcpip_{2BF819BC-5DA0-4F6F-8FBE-1A9BD07A90C7} 89BA11F8
Device \Driver\usbohci \Device\USBPDO-3 8A2A51F8
Device \Driver\usbohci \Device\USBPDO-4 8A2A51F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Tcp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)

Device \Driver\usbehci \Device\USBPDO-5 8A26D1F8
Device \Driver\PCI_PNP6674 \Device\00000057 spap.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A4151F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A4151F8
Device \Driver\Cdrom \Device\CdRom0 8A2B51F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A4151F8
Device \Driver\Cdrom \Device\CdRom1 8A2B51F8
Device \Driver\NetBT \Device\NetBt_Wins_Export netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
Device \Driver\NetBT \Device\NetBt_Wins_Export 89BA11F8
Device \Driver\sptd \Device\1513996674 spap.sys
Device \Driver\NetBT \Device\NetbiosSmb netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
Device \Driver\NetBT \Device\NetbiosSmb 89BA11F8

AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\Udp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp netlimiter.sys
AttachedDevice \Driver\Tcpip \Device\RawIp netlock.sys (OSA Network Driver Driver/OSA Technologies, An Avocent Company)

Device \Driver\usbohci \Device\USBFDO-0 8A2A51F8
Device \Driver\usbohci \Device\USBFDO-1 8A2A51F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B8C1F8
Device \Driver\usbohci \Device\USBFDO-2 8A2A51F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B8C1F8
Device \Driver\usbohci \Device\USBFDO-3 8A2A51F8
Device \Driver\Ftdisk \Device\FtControl 8A4151F8
Device \Driver\usbohci \Device\USBFDO-4 8A2A51F8
Device \Driver\usbehci \Device\USBFDO-5 8A26D1F8
Device \Driver\ahp5rsag \Device\Scsi\ahp5rsag1Port4Path0Target0Lun0 8A2A8500
Device \Driver\ahp5rsag \Device\Scsi\ahp5rsag1 8A2A8500
Device \FileSystem\Fastfat \Fat 891741F8
Device \FileSystem\Fastfat \Fat B2ABB297

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 89B5A500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0xF7 0x75 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x69 0x25 0x78 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0x45 0x57 0x94 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0xBC 0x6F 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x6F 0xAB 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC4 0xD1 0x7E 0x98 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6D 0xBC 0x6F 0x9B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x6F 0xAB 0x8A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC4 0xD1 0x7E 0x98 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAE 0xF7 0x75 0x0D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x04 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0x69 0x25 0x78 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF1 0x69 0xF2 0xBB ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA4 0x45 0x57 0x94 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x84 0xD5 0x38 0x2F ...

---- EOF - GMER 1.0.15 ----

Shaba
2009-04-19, 11:31
Yes, my bad.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

voolak
2009-04-21, 00:37
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, April 20, 2009 20:18:21
Records in database: 2063871
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 205639
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:18:00


File name / Threat name / Threats count
C:\Invision\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Invision\mirc.exe.bak Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:58 PM, on 4/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\LANScope Agent\awtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\LANScope Agent\awServ.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\MATLAB\webserver\bin\win32\matlabserver.exe
C:\Acer\LANScope Agent\LockKM.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Divilov\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [AdminWorks Tray] "C:\Acer\LANScope Agent\awtray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198781864515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209481842781
O23 - Service: Acer ODDSpeedControl - TODO: <????> - C:\Acer\Empowering Technology\eAcoustics\ODDSpeedCtl\speedcontrol.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Acer\LANScope Agent\awServ.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB\webserver\bin\win32\matlabserver.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6466 bytes

Shaba
2009-04-21, 07:53
That looks good :)

Still problems?

voolak
2009-04-21, 19:38
yeah i am still getting redirected in google...

Shaba
2009-04-21, 19:54
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Double-click GooredFix.exe to run it.
Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

voolak
2009-04-22, 00:47
GooredFix v1.92 by jpshortstuff
Log created at 17:46 on 21/04/2009 running Option #1 (Divilov)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{BA36E0AA-43E0-4DA5-82AD-95BDF464088A}

C:\Program Files\Mozilla Firefox\extensions\{8294F56A-5380-4EB2-84F3-C10C0F3D87F4}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

Shaba
2009-04-22, 07:14
Please double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

voolak
2009-04-22, 19:54
GooredFix v1.92 by jpshortstuff
Log created at 12:52 on 22/04/2009 running Option #2 (Divilov)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{BA36E0AA-43E0-4DA5-82AD-95BDF464088A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{8294F56A-5380-4EB2-84F3-C10C0F3D87F4}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

Shaba
2009-04-22, 19:57
OK it is gone now.

Still google redirects?

voolak
2009-04-22, 22:14
Yeah it's gone, thanks a lot

Shaba
2009-04-22, 22:16
Good :)

Still some issues left?

voolak
2009-04-23, 19:45
no ty you can go ahead and lock this thread.

Shaba
2009-04-23, 19:58
Before that see below for final instructions:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

voolak
2009-04-24, 01:01
Thanks some of those tips were good, I'll always practice safe hex(whatever hexing means):D:

Shaba
2009-04-26, 12:01
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.