IE and Firefox search results hijacked - redirects to adware/alternate search sites

**sictransit** · 2009-06-25, 18:22

I noticed this recently happening (the past week) first in Firefox then in IE. In the last day I have done these items:

Scanned with ZoneAlarm AntiVirus and Antispyware - Nothing found
Scanned with Malwarebytes Antimalware - Nothing found
Investigated HTTP requests on redirected search results with HTTPWatch
Scanned with SpybotSD - Nothing but some cookies found
Scanned with HijackThis - Read through it, researching what I could, but took no action
Uninstalled Firefox
Reinstalled Firefox

I have seen multiple solutions but have yet to try any besides reinstalling because there is always a difference in pc symptoms. Any help you can provide is appreciated.

Here is the current HT Logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:32 PM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Songbird\songbirditunesagent.exe
C:\Documents and Settings\Kris\Kris.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Songbird\songbird.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.mwcorporate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HttpWatch Professional - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchscpro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sbitunesagent] C:\Program Files\Songbird\songbirditunesagent.exe
O4 - HKCU\..\Run: [Kris] C:\Documents and Settings\Kris\Kris.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra 'Tools' menuitem: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7593 bytes

**Shaba** · 2009-06-27, 15:43

Hi sictransit

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**sictransit** · 2009-06-27, 17:36

Hi Shaba

Here is the HJT Uninstall List:

Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
Bonjour
Broadcom 440x 10/100 Integrated Controller
Compatibility Pack for the 2007 Office system
Counter-Strike
CPUID CPU-Z 1.51
Critical Update for Windows Media Player 11 (KB959772)
ERUNT 1.1j
Exact Audio Copy 0.99pb5
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GTK+ Runtime 2.14.7 rev a (remove only)
Half-Life 2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HttpWatch Professional 6.1.35
IrfanView (remove only)
iTunes
Just Great Software EditPad Lite 6.4.3
Last.fm 1.5.4.24567
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.11)
Pidgin
Quicken 2009
QuickTime
RollerCoaster Tycoon 2
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Songbird 1.2.0 (Build 1146)
Sothink SWF Decompiler
SoundMAX
Spybot - Search & Destroy
Steam
Team Fortress 2
TweetDeck
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VirtualCloneDrive
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
ZoneAlarm Security Suite

**Shaba** · 2009-06-27, 17:57

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HijackThis log scan when finished and post the log back here.

**sictransit** · 2009-06-27, 18:02

Uninstalled uTorrent.

Below is updated HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:46 PM, on 6/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Songbird\songbirditunesagent.exe
C:\Documents and Settings\Kris\Kris.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.mwcorporate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HttpWatch Professional - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchscpro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sbitunesagent] C:\Program Files\Songbird\songbirditunesagent.exe
O4 - HKCU\..\Run: [Kris] C:\Documents and Settings\Kris\Kris.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra 'Tools' menuitem: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7379 bytes

**Shaba** · 2009-06-27, 19:15

Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)

**sictransit** · 2009-06-27, 19:22

Log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kris at 2009-06-27 13:18:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 53 GB (70%) free of 76 GB
Total RAM: 3294 MB (61% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:09 PM, on 6/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Songbird\songbirditunesagent.exe
C:\Documents and Settings\Kris\Kris.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\TweetDeck\TweetDeck.exe
C:\Program Files\Songbird\songbird.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Kris\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Kris.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.mwcorporate.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: HttpWatch Professional - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchscpro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sbitunesagent] C:\Program Files\Songbird\songbirditunesagent.exe
O4 - HKCU\..\Run: [Kris] C:\Documents and Settings\Kris\Kris.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra 'Tools' menuitem: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7671 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-17 259696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll [2009-06-19 669168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll [2009-05-17 470512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F1F69322-008F-4895-B2BF-AD194219825A}]
HttpWatch Professional - C:\Program Files\HttpWatch\httpwatchscpro.dll [2009-05-21 287472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-05-17 259696]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-05-01 843776]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"VirtualCloneDrive"=C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [2009-01-29 52392]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-05-30 292136]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-06-07 30192]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2009-05-28 1005960]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-05-17 39408]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"sbitunesagent"=C:\Program Files\Songbird\songbirditunesagent.exe [2009-06-16 229376]
"Kris"=C:\Documents and Settings\Kris\Kris.exe [2009-06-19 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\Kris\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-07-27 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Steam\steamapps\kizzer505\counter-strike\hl.exe"="C:\Program Files\Steam\steamapps\kizzer505\counter-strike\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-06-27 13:18:07 ----D---- C:\rsit
2009-06-25 18:36:28 ----D---- C:\WINDOWS\Minidump
2009-06-25 12:05:33 ----D---- C:\WINDOWS\ERDNT
2009-06-25 12:04:58 ----D---- C:\Program Files\ERUNT
2009-06-24 22:54:56 ----D---- C:\Documents and Settings\Kris\Application Data\Windows Search
2009-06-24 19:48:51 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-06-24 19:48:51 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-24 19:33:31 ----D---- C:\Program Files\Trend Micro
2009-06-24 17:08:22 ----D---- C:\Documents and Settings\Kris\Application Data\Malwarebytes
2009-06-24 17:08:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-24 17:08:15 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-06-22 10:26:03 ----D---- C:\Program Files\Pidgin
2009-06-19 17:34:53 ----D---- C:\Program Files\Common Files\SourceTec
2009-06-19 17:34:51 ----D---- C:\Program Files\SourceTec
2009-06-19 15:57:52 ----D---- C:\Documents and Settings\Kris\Application Data\Songbird2
2009-06-19 15:56:51 ----D---- C:\Program Files\Songbird
2009-06-19 13:21:00 ----D---- C:\Documents and Settings\Kris\Application Data\AccurateRip
2009-06-19 11:37:19 ----D---- C:\Program Files\TweetDeck
2009-06-19 00:52:54 ----D---- C:\Program Files\Common Files\Blizzard Entertainment
2009-06-19 00:52:51 ----D---- C:\Program Files\World of Warcraft Trial
2009-06-18 13:23:08 ----D---- C:\Program Files\Exact Audio Copy
2009-06-18 12:49:10 ----D---- C:\Program Files\IrfanView
2009-06-18 09:57:24 ----D---- C:\Program Files\MSECache
2009-06-10 09:53:14 ----D---- C:\Documents and Settings\Kris\Application Data\JGsoft
2009-06-10 09:51:43 ----D---- C:\Program Files\JGsoft
2009-06-10 09:51:43 ----A---- C:\WINDOWS\UnDeploy.exe
2009-06-10 02:00:56 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 02:00:45 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-10 02:00:33 ----HDC---- C:\WINDOWS\$NtUninstallKB963093$
2009-06-10 01:57:52 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 01:57:37 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-06-09 06:00:39 ----D---- C:\Program Files\SonicWallES
2009-06-08 21:23:36 ----A---- C:\rollback.ini
2009-06-08 17:59:08 ----D---- C:\Documents and Settings\Kris\Application Data\MailFrontier
2009-06-08 17:51:09 ----A---- C:\WINDOWS\zllsputility.exe
2009-06-08 17:51:01 ----A---- C:\WINDOWS\system32\vsregexp.dll
2009-06-08 17:51:00 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2009-06-08 17:51:00 ----A---- C:\WINDOWS\system32\zlcomm.dll
2009-06-08 17:50:54 ----A---- C:\WINDOWS\system32\zpeng25.dll
2009-06-08 17:50:54 ----A---- C:\WINDOWS\system32\vswmi.dll
2009-06-08 17:50:53 ----D---- C:\WINDOWS\system32\ZoneLabs
2009-06-08 17:50:53 ----D---- C:\Program Files\Zone Labs
2009-06-08 17:50:53 ----A---- C:\WINDOWS\system32\vsxml.dll
2009-06-08 17:50:53 ----A---- C:\WINDOWS\system32\vspubapi.dll
2009-06-08 17:50:53 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2009-06-08 17:11:00 ----A---- C:\WINDOWS\system32\vsutil.dll
2009-06-08 17:11:00 ----A---- C:\WINDOWS\system32\vsinit.dll
2009-06-08 17:11:00 ----A---- C:\WINDOWS\system32\vsdata.dll
2009-06-08 17:10:56 ----D---- C:\WINDOWS\Internet Logs
2009-06-08 13:50:08 ----D---- C:\Documents and Settings\Kris\Application Data\OfficeUpdate12
2009-06-06 01:07:51 ----D---- C:\Program Files\Common Files\AnswerWorks 5.0
2009-06-06 01:07:43 ----A---- C:\WINDOWS\system32\cdintf300.dll
2009-06-06 01:07:43 ----A---- C:\WINDOWS\system32\acXMLParser.dll
2009-06-06 01:07:37 ----D---- C:\Documents and Settings\Kris\Application Data\Intuit
2009-06-06 01:07:20 ----D---- C:\Program Files\Common Files\Intuit
2009-06-06 01:07:14 ----D---- C:\Program Files\Quicken
2009-06-06 01:07:02 ----A---- C:\WINDOWS\QUICKEN.INI
2009-06-06 01:06:12 ----D---- C:\Documents and Settings\All Users\Application Data\Intuit
2009-06-04 00:14:30 ----D---- C:\Program Files\iPod
2009-06-04 00:12:38 ----D---- C:\Program Files\QuickTime

======List of files/folders modified in the last 1 months======

2009-06-27 13:12:08 ----D---- C:\WINDOWS\system32
2009-06-27 12:01:16 ----RD---- C:\Program Files
2009-06-27 11:49:36 ----D---- C:\Program Files\Mozilla Firefox
2009-06-27 11:12:05 ----D---- C:\WINDOWS\Temp
2009-06-26 19:46:01 ----D---- C:\Documents and Settings\Kris\Application Data\.purple
2009-06-26 10:52:20 ----D---- C:\WINDOWS\system32\CatRoot2
2009-06-25 20:21:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-06-25 19:28:46 ----D---- C:\WINDOWS\Prefetch
2009-06-25 18:36:28 ----D---- C:\WINDOWS
2009-06-24 17:08:16 ----D---- C:\WINDOWS\system32\drivers
2009-06-24 03:08:44 ----D---- C:\WINDOWS\Microsoft.NET
2009-06-24 02:56:13 ----SHD---- C:\WINDOWS\Installer
2009-06-23 20:02:53 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-06-19 17:34:53 ----D---- C:\Program Files\Common Files
2009-06-19 00:43:23 ----D---- C:\Program Files\Steam
2009-06-19 00:43:14 ----A---- C:\moduleName.txt
2009-06-18 09:57:41 ----D---- C:\WINDOWS\WinSxS
2009-06-18 09:57:40 ----RSD---- C:\WINDOWS\Fonts
2009-06-18 09:57:36 ----D---- C:\Program Files\Microsoft Office
2009-06-18 09:57:35 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-06-18 09:45:44 ----SHD---- C:\System Volume Information
2009-06-10 09:45:12 ----D---- C:\WINDOWS\system32\wbem
2009-06-10 09:45:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-06-10 09:22:38 ----D---- C:\Program Files\Windows Desktop Search
2009-06-10 02:01:34 ----HD---- C:\WINDOWS\inf
2009-06-10 02:01:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-10 02:01:26 ----D---- C:\Program Files\Internet Explorer
2009-06-10 02:01:14 ----D---- C:\WINDOWS\ie8updates
2009-06-10 02:01:06 ----HD---- C:\WINDOWS\$hf_mig$
2009-06-10 02:01:02 ----A---- C:\WINDOWS\imsins.BAK
2009-06-09 20:29:03 ----A---- C:\WINDOWS\win.ini
2009-06-08 14:05:29 ----RSD---- C:\WINDOWS\assembly
2009-06-08 14:04:53 ----D---- C:\Program Files\Microsoft Works
2009-06-08 13:50:08 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-06-07 22:14:05 ----D---- C:\Program Files\Google
2009-06-07 21:44:33 ----D---- C:\Documents and Settings\Kris\Application Data\Apple Computer
2009-06-06 01:07:51 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-04 00:14:48 ----D---- C:\Program Files\iTunes
2009-06-04 00:14:29 ----D---- C:\Program Files\Common Files\Apple
2009-06-04 00:11:04 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-06-01 12:51:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-05-31 17:14:07 ----SD---- C:\Documents and Settings\Kris\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2009-02-17 24232]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;KLIF; C:\WINDOWS\System32\DRIVERS\klif.sys [2009-02-17 150544]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2009-05-28 365448]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-22 230400]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-07-27 2371584]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2007-07-18 264576]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 cpuz132;cpuz132; \??\C:\WINDOWS\system32\drivers\cpuz132_x32.sys []
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\system32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-05-29 144712]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-07-27 483328]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2009-05-28 2414984]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-05-30 541992]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-07-27 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-06-07 30192]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-17 182768]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

INFO.TXT

info.txt logfile of random's system information tool 1.06 2009-06-27 13:18:11

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
AnswerWorks 5.0 English Runtime-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}\setup.exe" -l0x9 -uninst -removeonly
Apple Mobile Device Support-->MsiExec.exe /I{659B48CD-0608-4ED5-94C0-0B6C87114F10}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{612B9183-67A9-4B44-9877-2F059E35B86A}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Counter-Strike-->"C:\Program Files\Steam\steam.exe" steam://uninstall/10
CPUID CPU-Z 1.51-->"C:\Program Files\CPUID\CPU-Z\unins000.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Exact Audio Copy 0.99pb5-->C:\Program Files\Exact Audio Copy\uninst.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_BDA1448D3D255554.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
GTK+ Runtime 2.14.7 rev a (remove only)-->C:\Program Files\Common Files\GTK\2.0\uninst.exe
Half-Life 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/220
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HttpWatch Professional 6.1.35-->C:\Program Files\HttpWatch\uninstall.exe
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}
Just Great Software EditPad Lite 6.4.3-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\EditPadLite\Deploy.log"
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.11)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Pidgin-->C:\Program Files\Pidgin\pidgin-uninst.exe
Quicken 2009-->MsiExec.exe /X{ED2A3C11-3EA8-4380-B59C-F2C1832731B0}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RollerCoaster Tycoon 2-->C:\PROGRA~1\INFOGR~1\ROLLER~1\UNWISE.EXE C:\PROGRA~1\INFOGR~1\ROLLER~1\INSTALL.LOG
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Songbird 1.2.0 (Build 1146)-->"C:\Program Files\Songbird\Songbird-Uninstall.exe"
Sothink SWF Decompiler-->"C:\Program Files\SourceTec\Sothink SWF Decompiler\unins000.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Team Fortress 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/440
TweetDeck-->MsiExec.exe /X{0FA9A7F0-B2B3-52C9-2034-5F28C9DB525C}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB969497)-->"C:\WINDOWS\ie8updates\KB969497-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VC 9.0 Runtime-->MsiExec.exe /I{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}
VirtualCloneDrive-->"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe" /D="C:\Program Files\Elaborate Bytes\VirtualCloneDrive"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
ZoneAlarm Security Suite-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

======Security center information======

AV: ZoneAlarm Security Suite Antivirus
FW: ZoneAlarm Security Suite Firewall

======System event log======

Computer Name: HNQG8C1
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 537
Source Name: Tcpip
Time Written: 20090521194607.000000-240
Event Type: warning
User:

Computer Name: HNQG8C1
Event Code: 50
Message: {Delayed Write Failed}
Windows was unable to save all the data for the file . The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Record Number: 518
Source Name: Fastfat
Time Written: 20090521165501.000000-240
Event Type: warning
User:

Computer Name: HNQG8C1
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 504
Source Name: W32Time
Time Written: 20090521091131.000000-240
Event Type: warning
User:

Computer Name: HNQG8C1
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

Record Number: 367
Source Name: Print
Time Written: 20090517152139.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HNQG8C1
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

Record Number: 366
Source Name: Print
Time Written: 20090517152137.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: HNQG8C1
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 18
Source Name: WinMgmt
Time Written: 20090517120804.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HNQG8C1
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 17
Source Name: WinMgmt
Time Written: 20090517120804.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HNQG8C1
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20090517120506.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HNQG8C1
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20090517120506.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: HNQG8C1
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20090517120504.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"tvdumpflags"=8

-----------------EOF-----------------

**Shaba** · 2009-06-27, 20:01

Download gmer.zip and save to your desktop.
alternate download site

Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

**sictransit** · 2009-06-27, 21:13

Gmer.txt

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-27 15:10:34
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 8A407550 ZwEnumerateKey
Code 8A3D5A38 ZwFlushInstructionCache
Code 8A404F2E IofCallDriver
Code 8A400646 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8A404F33
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8A40064B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A3D5A3C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 8A407554
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[260] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\wscntfy.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007C000A
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[716] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BC000A
.text C:\Documents and Settings\Kris\Desktop\gmer\gmer.exe[760] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003F000A
.text C:\WINDOWS\Explorer.EXE[788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
.text ...
.text C:\WINDOWS\system32\SearchIndexer.exe[1328] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\Ati2evxx.exe[1392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0039000A
.text C:\Program Files\iPod\bin\iPodService.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\svchost.exe[2392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 007C000A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[2792] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C5000A
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[2860] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E17C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E17C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B7E17C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E17C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B7E198D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B7E17C40] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B7E1A010] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7E196E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \FileSystem\Fastfat \Fat B32C4D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETbqodotnb.sys (*** hidden *** ) [SYSTEM] SKYNETuyrulvbo <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo@imagepath \systemroot\system32\drivers\SKYNETbqodotnb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main@aid 10061
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETbqodotnb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules@SKYNETcmd.dll \systemroot\system32\SKYNETebiqtgow.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules@SKYNETlog.dat \systemroot\system32\SKYNETkmttjxdq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules@SKYNETwsp.dll \systemroot\system32\SKYNETgoxujcvn.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETuyrulvbo\modules@SKYNET.dat \systemroot\system32\SKYNETvymxuevr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo@imagepath \systemroot\system32\drivers\SKYNETbqodotnb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main@aid 10061
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main\connections
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETbqodotnb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules@SKYNETcmd.dll \systemroot\system32\SKYNETebiqtgow.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules@SKYNETlog.dat \systemroot\system32\SKYNETkmttjxdq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules@SKYNETwsp.dll \systemroot\system32\SKYNETgoxujcvn.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETuyrulvbo\modules@SKYNET.dat \systemroot\system32\SKYNETvymxuevr.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETbqodotnb.sys 69120 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETebiqtgow.dll 44032 bytes executable
File C:\WINDOWS\system32\SKYNETgoxujcvn.dll 20992 bytes executable
File C:\WINDOWS\system32\SKYNETkmttjxdq.dat 90946 bytes
File C:\WINDOWS\system32\SKYNETvymxuevr.dat 93 bytes
File C:\WINDOWS\Temp\SKYNETmiggalvstm.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETuykhydxwgx.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETmqsmqgichi.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETodaujsakih.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETovrsktruyr.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNEToysghdyggs.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETpfhxjipomr.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETpidjviujwc.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETpjrurjxjsd.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETpnuwmnjtam.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETpsuytevrae.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqccoqiquxs.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqpxmbdxdcd.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETqqynshqfeh.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETrbkpqhuyms.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETrddtleqcxy.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETrebxraqyur.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtpwnbhesmb.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtuuiiyhruv.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETtwqdduqcsi.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETurovmpljim.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETamsnemjtqh.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETariheqsvsl.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETawgnegfrin.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETbfpouuuadt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETbujvikbqkw.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETbyauxvwcph.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETcludaiqixg.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETdqidlcgiop.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETdsfgbjhxwa.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETetyyefwwbi.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETfuiuxfvnst.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETgdnaotnjct.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETgglthowcbv.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETgogpgisrxo.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEThfvqsikrtn.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNEThugtbxxpys.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNEThwhxqmliis.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETijrjvtolna.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETioucrlysbp.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETjawokkpenb.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETjocpcvudvv.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETjodguwkqsg.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETlobkjpbiqp.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETlyjitrdkmg.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETmdaybkvexb.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETmegdxepmkp.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETvnptuebntx.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETvtrfhbbljy.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETvvctwpdqyt.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETwmvcvbvudo.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETwuccsxaety.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETwvkpjkbdeq.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxiruhyqsjr.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETxouqfviqdf.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETxqswbbvqgp.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETycnyinnxvi.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETyjavnsgvds.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETyljlopdhqp.tmp 20992 bytes executable
File C:\WINDOWS\Temp\SKYNETyugakkqkll.tmp 20992 bytes executable
File C:\WINDOWS\Temp\Temporary Internet Files 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\061-4512.English[1].dist 6760 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\061-4609.English[1].dist 18471 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\061-5850.English[1].dist 17749 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\061-6273.English[1].dist 17079 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\061-6667.English[1].dist 33042 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\3PQJL6AF\desktop.ini 67 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini 67 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-4200.English[1].dist 6293 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-4514.English[1].dist 6484 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-5790.English[1].dist 17755 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-6235.English[1].dist 18227 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-6310.English[1].dist 17941 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\061-6704.English[1].dist 19443 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G80FF00M\desktop.ini 67 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat 49152 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\061-4513.English[1].dist 6869 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\061-4972.English[1].dist 17087 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\061-6116.English[1].dist 24791 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\061-6274.English[1].dist 17070 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\061-6684.English[1].dist 28797 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\desktop.ini 67 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\NFNYQGY2\index-windows-1[1].sucatalog 75505 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK 0 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-3452.English[1].dist 3742 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-4249.English[1].dist 6025 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-4608.English[1].dist 18478 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-5849.English[1].dist 3161 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-6236.English[1].dist 18218 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\061-6666.English[1].dist 33769 bytes
File C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\TDI8ZLWK\desktop.ini 67 bytes
File C:\WINDOWS\Temp\WGAErrLog.txt 483 bytes
File C:\WINDOWS\Temp\ZLT018b8.TMP 256 bytes

---- EOF - GMER 1.0.15 ----

**Shaba** · 2009-06-28, 08:57

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Thread: IE and Firefox search results hijacked - redirects to adware/alternate search sites

Thread Tools

Display

IE and Firefox search results hijacked - redirects to adware/alternate search sites

Tags for this Thread

Posting Permissions