[kaptain]

Hello,
this is my first post.
I've tried all the steps in malware guide but haven't succeeded in curing it.
Can You help?
What it does is when i open a new tab in firefox it REDIRECT THE WEB PAGE TO something like hxxp://bestcatalogonline.com/search.php?q=****(whatever the name was on the page or similar)
instead of opening the page I WANT!!!!
I don't seem to be able to solve this alone, Thank You!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18:54, on 31/01/2009
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Active ShutDown\asd.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mss.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 7881 bytes

Edited by kaptain, 31 January 2009 - 09:20 AM.
Removed link

[Advertisements]

Hello kaptain

Welcome to G2Go.
=====================

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[kahdah]

Hello kaptain

Welcome to G2Go.
=====================

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[kaptain]

Hello Kahdah,
thank you for your helping me.
Here it is:
DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 15:33:00.04 on 03/02/2009
Internet Explorer: 6.0.2900.3311 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3582.2990 [GMT 0:00]

AV: avast! antivirus 4.8.1296 [VPS 090202-1] *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [basicsmssmenu] "c:\program files\seagate\basics\basics status\MaxMenuMgrBasics.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SSC Service Utility] c:\program files\ssc service utility\ssc_serv.exe /s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\active~1.lnk - c:\program files\active shutdown\asd.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\anapod~1.lnk - c:\program files\red chair software\anapod explorer\anamgr.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\mirand~1.lnk - c:\program files\miranda im\miranda32.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {AC1F5BCF-9CD1-4470-B59A-466D6B613125} = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - c:\windows\system32\textwareilluminatorbaseProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: mss.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\qrbjunla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\qrbjunla.default\extensions\[email protected]\components\coolirisstub.dll
FF - plugin: c:\program files\google\google updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmks.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-9 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-9 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-2-26 155160]
R2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [2008-2-10 18848]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-17 24652]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-12-20 6016]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [2008-9-8 103040]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S0 ati8bhxx;ati8bhxx;c:\windows\system32\drivers\ati8bhxx.sys --> c:\windows\system32\drivers\ati8bhxx.sys [?]
S1 24e4571f;24e4571f;c:\windows\system32\drivers\24e4571f.sys --> c:\windows\system32\drivers\24e4571f.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-2-26 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-2-26 352920]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2008-2-27 815104]

=============== Created Last 30 ================

2009-01-31 09:26 <DIR> --d----- c:\program files\CCleaner
2009-01-30 23:37 <DIR> --d----- c:\documents and settings\administrator\DoctorWeb
2009-01-30 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-30 22:13 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-30 22:13 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-01-30 20:28 <DIR> --d----- c:\program files\Trend Micro
2009-01-29 13:39 135,168 a------- c:\windows\system32\EEBAPI.dll
2009-01-29 13:39 110,592 a------- c:\windows\system32\EEBDSCVR.dll
2009-01-29 13:39 69,632 a------- c:\windows\system32\EBAPI.dll
2009-01-29 13:39 65,536 a------- c:\windows\system32\EEBUtil.dll
2009-01-29 13:39 55,808 a------- c:\windows\system32\EEBSDKIF.dll
2009-01-29 13:36 155,648 a------- c:\windows\system32\EBAPI2.dll
2009-01-29 13:36 <DIR> --d----- c:\program files\common files\EPSON
2009-01-29 12:34 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-29 12:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-29 12:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 12:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-29 11:06 59 a------- c:\windows\system32\senekajbwnfghd.dat
2009-01-29 11:02 2 a------- C:\540284606
2009-01-29 11:01 447 a------- c:\windows\xccwinsys.ini
2009-01-29 11:01 <DIR> --d----- c:\windows\system32\inf
2009-01-29 11:01 6,454 a------- c:\windows\system32\senekajbgixjov.dat
2009-01-29 11:01 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-01-28 20:05 73,728 a------- c:\windows\system32\EPRIPMNT.DLL
2009-01-28 20:05 61,440 a------- c:\windows\system32\MONINST.EXE
2009-01-28 20:05 19,744 a------- c:\windows\system32\drivers\EPSTNT01.SYS
2009-01-28 19:16 5,248 a------- c:\windows\system32\giveio.sys
2009-01-28 19:13 <DIR> --d----- c:\program files\SSC Service Utility
2009-01-26 23:09 <DIR> --d----- C:\EPSON
2009-01-26 23:01 80,166 a------- c:\windows\system32\EBPMON2.DLL
2009-01-26 23:01 64,000 a------- c:\windows\system32\ECBTEG.DLL
2009-01-26 23:01 34,304 a------- c:\windows\system32\EBPCHP.DLL
2009-01-26 22:53 <DIR> --d----- c:\windows\EPSON PhotoStarter Essential
2009-01-26 22:52 131,072 a----r-- c:\windows\system32\Epcmlib.dll
2009-01-26 22:52 <DIR> --d----- c:\program files\EPSON
2009-01-26 22:50 <DIR> --d----- c:\program files\EPSON Print CD
2009-01-26 22:50 <DIR> --d----- c:\program files\EPSON GrayBalancer
2009-01-18 11:15 <DIR> --d----- C:\HEX BLINK
2009-01-17 11:58 <DIR> --d----- c:\windows\system32\AGEIA
2009-01-17 11:58 206,755 a------- c:\windows\system32\nvapps.nvb
2009-01-17 11:58 <DIR> --d----- c:\windows\NV2003712.TMP
2009-01-17 11:57 <DIR> --d----- C:\NVIDIA
2009-01-17 11:46 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-01-16 09:20 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-01-16 09:20 507,400 a------- c:\windows\system32\XAudio2_1.dll
2009-01-16 09:20 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-01-16 09:20 238,088 a------- c:\windows\system32\xactengine3_1.dll
2009-01-16 09:20 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2009-01-16 09:20 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2009-01-16 09:20 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-01-16 09:20 479,752 a------- c:\windows\system32\XAudio2_0.dll
2009-01-16 09:20 238,088 a------- c:\windows\system32\xactengine3_0.dll
2009-01-16 09:20 25,608 a------- c:\windows\system32\X3DAudio1_3.dll
2009-01-16 09:19 <DIR> --d----- c:\windows\Logs
2009-01-16 09:18 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2009-01-16 09:18 1,420,824 a------- c:\windows\system32\D3DCompiler_37.dll
2009-01-16 09:18 462,864 a------- c:\windows\system32\d3dx10_37.dll
2009-01-16 09:18 <DIR> --d----- c:\windows\system32\xlive
2009-01-16 09:18 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-01-16 00:56 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-16 00:55 14,048 -------- c:\windows\system32\spmsg2.dll
2009-01-16 00:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\DAEMON Tools Pro
2009-01-16 00:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-01-16 00:53 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-01-16 00:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\DAEMON Tools Lite
2009-01-14 14:53 <DIR> --d-hr-- c:\docume~1\admini~1\applic~1\Microchip
2009-01-14 14:24 <DIR> --d----- c:\program files\Microchip
2009-01-14 14:15 <DIR> --d----- c:\program files\Mikroelektronika
2009-01-10 22:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\Foxit
2009-01-10 17:52 <DIR> --d----- C:\PBP
2009-01-10 17:50 <DIR> --d----- c:\program files\PIC18 Simulator IDE
2009-01-10 17:48 <DIR> --d----- c:\program files\PIC Simulator IDE
2009-01-08 23:12 <DIR> --d----- C:\Pk2 Lessons
2009-01-08 18:51 21 a------- c:\windows\Picasa.ini
2009-01-08 15:24 49,664 a------- c:\windows\unvise32.exe
2009-01-08 15:24 <DIR> --d----- c:\program files\Active ShutDown
2009-01-05 22:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-05 16:14 <DIR> --d----- c:\program files\Foxit Software

==================== Find3M ====================

2009-02-02 22:50 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-01-16 09:20 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-14 14:12 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-23 21:58 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-08 09:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-09-20 16:29 8 ---shr-- c:\docume~1\alluse~1\applic~1\F5B9E44F42.sys
2008-03-06 21:15 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-03-05 11:28 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2008-03-05 11:21 103,736 a------- c:\docume~1\admini~1\applic~1\PnkBstrB.exe
2002-04-16 10:27 5 a--sh--- c:\windows\system32\CdI5T.drv
2008-09-17 22:10 88 ---shr-- c:\windows\system32\F5B9E44F42.sys
2008-02-12 09:29 54,898 ---shr-- c:\windows\system32\javaupd.exe

============= FINISH: 15:33:14.75 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/26/2008 11:58:12 AM
System Uptime: 2/3/2009 8:52:39 AM (7 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5N-E SLI
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2399/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 98 GiB total, 68.79 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 368 GiB total, 285.274 GiB free.
G: is FIXED (NTFS) - 466 GiB total, 39.974 GiB free.
H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AC3Filter (remove only)
Active ShutDown
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.3
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AeroFly Professional Deluxe
AIM 6
Alive YouTube Video Converter (version 1.2.3.9)
All Media Fixer 9.08
Anapod Explorer (remove only)
Aspell Czech Dictionary-0.50-2
Aspell English Dictionary-0.50-2
ASUSUpdate
µTorrent
Autopano Pro
AutoUpdate
avast! Antivirus
Cambridge Advanced Learner's Dictionary
CCleaner (remove only)
Chief Architect 9.5 Full Version
Corel Paint Shop Pro Photo XI
CorelDRAW Graphics Suite X4
CorelDRAW Graphics Suite X4 - Capture
CorelDRAW Graphics Suite X4 - Content
CorelDRAW Graphics Suite X4 - Draw
CorelDRAW Graphics Suite X4 - Filters
CorelDRAW Graphics Suite X4 - FontNav
CorelDRAW Graphics SUite X4 - ICA
CorelDRAW Graphics Suite X4 - IPM
CorelDRAW Graphics Suite X4 - Lang EN
CorelDRAW Graphics Suite X4 - PP
CorelDRAW Graphics Suite X4 - VBA
CorelDRAW® Graphics Suite X4
CorelDRAW® Graphics Suite X4 - Windows Shell Extension
DFX 8 for Windows Media Player
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dr. DivX 2.0 OSS
Drive Manager
DVD X Player 4.0 Professional
Easy Duplicate Finder v. 1.5.1
EPSON GrayBalancer
EPSON PhotoQuicker3.4
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Printer Software
EPSON PS Port Monitor
EPSON PS_Server
ERUNT 1.1j
Flash Saving Plugin
FLV Player 2.0, build 24
Foxit PDF Editor
Foxit Reader
GNU Aspell 0.50-3
Google Earth
Google Updater
GPL MPEG-1/2 DirectShow Decoder Filter
Grand Theft Auto IV
GTK+ Runtime 2.6.9 rev a (remove only)
Hauppauge WinTV
Hauppauge WinTV Scheduler
Hauppauge WinTV TV Services
Hauppauge WinTV2000
HD Tach version 3
HI-TECH C51-lite V9.60PL0
HI-TECH PICC lite V9.60PL0
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
InterVideo FilterSDK for Hauppauge
Java™ 6 Update 11
Java™ 6 Update 5
Java™ 6 Update 7
JMB36X Raid Configurer
K-Lite Codec Pack 3.5.0 Basic
KeeBook Creator 2.7.6.8
KONICA MINOLTA PagePro 1300W
LightScribe 1.8.15.1
Logitech SetPoint
Machinist ToolBox™ v9.x
Magic ISO Maker v5.4 (build 0255)
Magic ISO Maker v5.5 (build 0273)
Malwarebytes' Anti-Malware
Mayan Maze
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Visio Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
mikroBasic (remove only)
Miranda IM 0.7.7
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
Mpeg Layer3 Codec FHG-Radium v1.263
MPLAB Tools v8.10
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
nanoPEG-Editor 2.6.0 for WinTV
National Instruments Software
neroxml
NI Circuit Design Suite 10 Core
NI Circuit Design Suite 10 Pro
NI EULA Depot
NI LabVIEW Run-Time Engine 8.0.1
NI LabVIEW Run-Time Engine 8.2
NI LabWindows/CVI 8.0.1 Run-Time Engine
NI License Manager
NI Logos 4.7
NI Math Kernel Libraries
NI MDF Support
NI Service Locator
NI TDMS
NI Uninstaller
NI USI 1.3.0
NVIDIA Drivers
NVIDIA PhysX v8.10.13
oggcodecs 0.71.0946
OpenAL
OpenOffice.org 2.2
PC Probe II
PDF Settings
PIC Simulator IDE
PIC16F690 Lessons
PIC16F887 Lessons
PIC18 Simulator IDE
Picasa 3
PICBASIC PRO™ 2.50
PICkit 2 v2.50.02
PowerISO
Puzzle Quest
QuickTime Alternative 1.78
Realtek High Definition Audio Driver
Riva FLV Player
Rockstar Games Social Club
Sage Instant Accounts
Sage Instant Accounts V12.00
ScanToWeb
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
SJphone 1.65
Skype™ 3.8
Spybot - Search & Destroy
SSC Service Utility v4.30
SUPERAntiSpyware Professional
Survey
System Requirements Lab
TARGET 3001! V13 discover
Tomb Raider: Anniversary 1.0
Total Commander (Remove or Repair)
Ultimate Sudoku
UltraVNC v1.0.2
Update for Windows Media Player 10 (KB926251)
VideoLAN VLC media player 0.8.6h
Viewpoint Media Player
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
VoipDiscount
WebFldrs XP
Windows Communication Foundation
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
X-Lite 3.0
XML Paper Specification Shared Components Pack 1.0
XpertVision 5.9
Xvid 1.1.2 final uninstall
YPOPs! 0.9.6

==== Event Viewer Messages From Past Week ========

1/29/2009 12:07:21 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
1/29/2009 11:01:49 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
1/29/2009 12:07:21 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
1/29/2009 12:12:09 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000018, parameter2 00000002, parameter3 00000000, parameter4 804f459a.

==== End Of File ===========================


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-03 15:58:58
Windows 5.1.2600 Service Pack 3, v.3311


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA5859576]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA5859432]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA5859910]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA585900A]
SSDT spsq.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spsq.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA585950C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA5858F4A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA5858FAE]
SSDT spsq.sys ZwQueryKey [0xB9EC7108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA585962C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA58595EC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA585976C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA6E07F20]

INT 0x62 ? 8B250BF8
INT 0x63 ? 8B2C6BF8
INT 0x73 ? 8B2C6BF8
INT 0x94 ? 8B022BF8
INT 0xB4 ? 8B253BF8
INT 0xB4 ? 8B253BF8

---- Kernel code sections - GMER 1.0.14 ----

? spsq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B7DE38AC 5 Bytes JMP 8B0221D8
.text aa5f53h4.SYS B7C9F386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text aa5f53h4.SYS B7C9F3AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text aa5f53h4.SYS B7C9F3C4 3 Bytes [ 00, 70, 02 ]
.text aa5f53h4.SYS B7C9F3C9 1 Byte [ 2E ]
.text aa5f53h4.SYS B7C9F3CB 9 Bytes [ 00, 00, 5C, 02, 00, 00, 00, ... ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spsq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spsq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spsq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spsq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spsq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spsq.sys
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\aa5f53h4.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8B24E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 897A41F8

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBPDO-0 8B0211F8
Device \Driver\usbehci \Device\USBPDO-1 8B0111F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B2C71F8
Device \Driver\dmio \Device\DmControl\DmConfig 8B2C71F8
Device \Driver\dmio \Device\DmControl\DmPnP 8B2C71F8
Device \Driver\dmio \Device\DmControl\DmInfo 8B2C71F8
Device \Driver\sptd \Device\3325962130 spsq.sys

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP0880 \Device\00000057 spsq.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8B2511F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8B2511F8
Device \Driver\Cdrom \Device\CdRom0 8AFF21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8B2511F8
Device \Driver\Cdrom \Device\CdRom1 8AFF21F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8ABE8368
Device \Driver\usbstor \Device\00000083 8AC44500
Device \Driver\NetBT \Device\NetbiosSmb 8ABE8368
Device \Driver\usbstor \Device\00000085 8AC44500

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 8B0211F8
Device \Driver\usbehci \Device\USBFDO-1 8B0111F8
Device \Driver\nvata \Device\NvAta0 8B2C61F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AC46500
Device \Driver\nvata \Device\NvAta1 8B2C61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{AC1F5BCF-9CD1-4470-B59A-466D6B613125} 8ABE8368
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AC46500
Device \Driver\nvata \Device\0000007c 8B2C61F8
Device \Driver\Ftdisk \Device\FtControl 8B2511F8
Device \Driver\aa5f53h4 \Device\Scsi\aa5f53h41 8AFCF1F8
Device \Driver\JRAID \Device\Scsi\JRAID1 8B24F1F8
Device \Driver\aa5f53h4 \Device\Scsi\aa5f53h41Port5Path0Target0Lun0 8AFCF1F8
Device \FileSystem\Fastfat \Fat 897A41F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 8AC55370

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x03 0xAA 0x46 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x35 0x95 0x5A 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xD9 0x49 0xF5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9B 0x03 0xAA 0x46 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x35 0x95 0x5A 0x0D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x3E 0xD9 0x49 0xF5 ...

---- EOF - GMER 1.0.14 ----

Edited by kaptain, 03 February 2009 - 12:35 PM.

[kahdah]

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[kaptain]

here it is, thank you.
ComboFix 09-02-03.01 - Administrator 2009-02-04 15:34:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2944 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090203-1] *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\install.exe
c:\windows\system32\senekajbgixjov.dat
c:\windows\system32\senekajbwnfghd.dat
c:\windows\system32\Setup_ver1.1351.25.exe
c:\windows\system32\systeminfo.dll
c:\windows\xccwinsys.ini
G:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://updateserver.info
.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 12:03 . 2009-02-04 12:03 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-04 12:03 . 2009-02-04 12:03 1,409 --a------ c:\windows\QTFont.for
2009-02-03 15:37 . 2009-02-03 15:39 250 --a------ c:\windows\gmer.ini
2009-02-01 09:59 . 2009-02-01 09:59 <DIR> d-------- c:\program files\ERUNT
2009-01-31 09:26 . 2009-01-31 09:26 <DIR> d-------- c:\program files\CCleaner
2009-01-30 23:37 . 2009-01-30 23:37 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-01-30 22:13 . 2009-01-30 22:15 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 22:13 . 2009-01-30 22:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 22:13 . 2009-01-30 22:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-30 20:28 . 2009-01-30 20:28 <DIR> d-------- c:\program files\Trend Micro
2009-01-29 13:39 . 2006-08-19 13:40 135,168 --a------ c:\windows\system32\EEBAPI.dll
2009-01-29 13:39 . 2006-08-19 13:41 110,592 --a------ c:\windows\system32\EEBDSCVR.dll
2009-01-29 13:39 . 2004-11-17 15:37 69,632 --a------ c:\windows\system32\EBAPI.dll
2009-01-29 13:39 . 2006-08-17 12:31 65,536 --a------ c:\windows\system32\EEBUtil.dll
2009-01-29 13:39 . 2003-12-17 01:01 55,808 --a------ c:\windows\system32\EEBSDKIF.dll
2009-01-29 13:36 . 2009-01-29 13:36 <DIR> d-------- c:\program files\Common Files\EPSON
2009-01-29 13:36 . 2004-08-19 01:06 155,648 --a------ c:\windows\system32\EBAPI2.dll
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-29 12:34 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 12:34 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 11:02 . 2009-01-29 11:07 2 --a------ C:\540284606
2009-01-29 11:01 . 2009-02-04 15:35 <DIR> d-------- c:\windows\system32\inf
2009-01-29 11:01 . 2009-01-29 11:01 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-28 20:05 . 2003-10-14 00:00 73,728 --a------ c:\windows\system32\EPRIPMNT.DLL
2009-01-28 20:05 . 2003-10-14 00:00 61,440 --a------ c:\windows\system32\MONINST.EXE
2009-01-28 20:05 . 2003-10-14 00:00 19,744 --a------ c:\windows\system32\drivers\EPSTNT01.SYS
2009-01-28 19:16 . 2009-01-28 19:16 5,248 --a------ c:\windows\system32\giveio.sys
2009-01-28 19:13 . 2009-02-01 11:46 <DIR> d-------- c:\program files\SSC Service Utility
2009-01-26 23:09 . 2009-01-26 23:09 <DIR> d-------- C:\EPSON
2009-01-26 23:01 . 2004-07-21 03:06 80,166 --a------ c:\windows\system32\EBPMON2.DLL
2009-01-26 23:01 . 2003-05-21 02:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2009-01-26 23:01 . 2000-06-07 01:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2009-01-26 22:53 . 2009-01-26 22:53 <DIR> d-------- c:\windows\EPSON PhotoStarter Essential
2009-01-26 22:52 . 2009-01-28 20:04 <DIR> d-------- c:\program files\EPSON
2009-01-26 22:52 . 2002-10-23 01:00 131,072 -ra------ c:\windows\system32\Epcmlib.dll
2009-01-26 22:50 . 2009-01-26 22:50 <DIR> d-------- c:\program files\EPSON Print CD
2009-01-26 22:50 . 2009-01-28 16:34 <DIR> d-------- c:\program files\EPSON GrayBalancer
2009-01-18 11:15 . 2009-01-18 11:15 <DIR> d-------- C:\HEX BLINK
2009-01-17 11:58 . 2009-01-17 11:58 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-17 11:58 . 2009-01-17 12:00 <DIR> d-------- c:\windows\NV2003712.TMP
2009-01-17 11:58 . 2009-01-17 11:58 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-17 11:58 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb
2009-01-17 11:57 . 2009-01-17 11:57 <DIR> d-------- C:\NVIDIA
2009-01-17 11:46 . 2009-01-17 11:46 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-17 11:46 . 2009-01-17 11:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2009-01-16 09:20 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-16 09:20 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2009-01-16 09:20 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2009-01-16 09:20 . 2008-03-05 16:03 479,752 --a------ c:\windows\system32\XAudio2_0.dll
2009-01-16 09:20 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2009-01-16 09:20 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2009-01-16 09:20 . 2008-03-05 16:03 238,088 --a------ c:\windows\system32\xactengine3_0.dll
2009-01-16 09:20 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2009-01-16 09:20 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2009-01-16 09:20 . 2008-03-05 16:00 25,608 --a------ c:\windows\system32\X3DAudio1_3.dll
2009-01-16 09:19 . 2009-01-16 09:19 <DIR> d-------- c:\windows\system32\drivers\umdf
2009-01-16 09:19 . 2009-01-16 09:19 <DIR> d-------- c:\windows\Logs
2009-01-16 09:18 . 2009-01-16 09:18 <DIR> d-------- c:\windows\system32\xlive
2009-01-16 09:18 . 2009-01-16 16:09 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-16 09:18 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-01-16 09:18 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-01-16 09:18 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-01-16 00:58 . 2009-01-16 00:58 <DIR> d-------- c:\program files\MSBuild
2009-01-16 00:56 . 2009-01-16 00:56 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-16 00:56 . 2009-01-16 00:56 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-16 00:55 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-16 00:54 . 2009-01-16 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-01-16 00:53 . 2009-01-16 00:53 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-16 00:53 . 2009-01-16 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-16 00:52 . 2009-01-16 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-01-14 14:53 . 2009-01-14 15:13 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\Microchip
2009-01-14 14:24 . 2009-01-15 11:13 <DIR> d-------- c:\program files\Microchip
2009-01-14 14:15 . 2009-01-14 14:15 <DIR> d-------- c:\program files\Mikroelektronika
2009-01-10 22:25 . 2009-01-10 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Foxit
2009-01-10 20:46 . 2009-01-10 20:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nitro PDF
2009-01-10 20:45 . 2009-01-10 20:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-01-10 17:52 . 2009-01-15 18:55 <DIR> d-------- C:\PBP
2009-01-10 17:50 . 2009-01-10 17:50 <DIR> d-------- c:\program files\PIC18 Simulator IDE
2009-01-10 17:48 . 2009-01-10 17:48 <DIR> d-------- c:\program files\PIC Simulator IDE
2009-01-08 23:12 . 2009-01-15 18:54 <DIR> d-------- C:\Pk2 Lessons
2009-01-08 18:51 . 2009-01-08 18:51 21 --a------ c:\windows\Picasa.ini
2009-01-08 15:24 . 2009-01-08 15:24 <DIR> d-------- c:\program files\Active ShutDown
2009-01-08 15:24 . 1999-12-17 10:13 49,664 --a------ c:\windows\unvise32.exe
2009-01-05 22:33 . 2009-01-05 22:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2009-01-05 16:14 . 2009-01-10 22:25 <DIR> d-------- c:\program files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 15:25 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-04 15:25 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-04 14:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel
2009-02-04 14:38 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-02-04 11:46 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-04 10:22 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-04 09:02 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-02-04 09:02 --------- d-----w c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-02-03 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-03 09:26 --------- d-----w c:\program files\WinTV
2009-01-31 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-30 22:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 20:46 --------- d-----w c:\program files\YPOPs
2009-01-30 20:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 20:43 --------- d-----w c:\program files\Logitech
2009-01-30 20:43 --------- d-----w c:\documents and settings\All Users\Application Data\MediaLife
2009-01-29 13:26 --------- d-----w c:\program files\Machinist ToolBox
2009-01-29 11:12 --------- d-----w c:\program files\MagicISO
2009-01-16 09:20 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-01-16 00:54 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-08 18:21 --------- d-----w c:\program files\eagle4.16
2009-01-03 13:55 --------- d-----w c:\program files\Google
2008-12-28 14:11 --------- d-----w c:\program files\Common Files\Intel
2008-12-25 11:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-25 09:52 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 09:51 --------- d-----w c:\program files\Lavasoft
2008-12-23 21:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-12-20 11:17 --------- d-----w c:\program files\UltraVNC
2008-12-18 14:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-08 09:08 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-08 09:08 --------- d-----w c:\program files\Java
2008-12-06 22:53 --------- d-----w c:\program files\Skype
2008-09-20 16:29 8 --sh--r c:\documents and settings\All Users\Application Data\F5B9E44F42.sys
2008-03-06 21:15 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-05 11:28 22,328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2008-03-05 11:21 103,736 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrB.exe
2007-11-08 14:39 827,392 ----a-w c:\program files\mozilla firefox\plugins\libeay32.dll
2007-11-08 14:39 159,744 ----a-w c:\program files\mozilla firefox\plugins\ssleay32.dll
2006-01-23 05:02 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 09:10 132,848 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2002-04-16 10:27 5 --sha-w c:\windows\system32\CdI5T.drv
2008-09-17 22:10 88 --sh--r c:\windows\system32\F5B9E44F42.sys
2008-02-12 09:29 54,898 --sh--r c:\windows\system32\javaupd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-01-09 270128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-02-12 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-30 1809648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-02-12 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Active ShutDown.lnk - c:\program files\Active ShutDown\asd.exe [5/22/2001 4:10:14 PM 240128]
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [3/4/2006 2:41:40 AM 1038848]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM 38912]
Miranda IM.lnk - c:\program files\Miranda IM\miranda32.exe [6/2/2008 3:12:46 AM 557652]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [1/29/2009 1:36:29 PM 131584]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2/27/2008 11:24:50 AM 450560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8bhxx.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^YPOPs.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\YPOPs.lnk
backup=c:\windows\pss\YPOPs.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SJphone 1.65.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SJphone 1.65.lnk
backup=c:\windows\pss\SJphone 1.65.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SJphone 1.65\\SJphone.exe"=
"c:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"f:\\4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"f:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EPSON\\PS Server\\EPSON PS Server.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6882:TCP"= 6882:TCP:*:Disabled:72.20.34.145

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/9/2008 7:10:01 AM 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50:04 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50:02 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/9/2008 7:10:01 AM 20560]
R2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [2/10/2008 11:25:58 AM 18848]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/17/2008 7:50:40 AM 24652]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [12/20/2008 10:26:38 AM 6016]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [9/8/2008 8:23:29 PM 103040]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50:06 PM 7408]
S0 ati8bhxx;ati8bhxx;c:\windows\system32\Drivers\ati8bhxx.sys --> c:\windows\system32\Drivers\ati8bhxx.sys [?]
S1 24e4571f;24e4571f;c:\windows\system32\drivers\24e4571f.sys --> c:\windows\system32\drivers\24e4571f.sys [?]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [2/27/2008 3:12:00 PM 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-03 13:53]

2009-01-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
MSConfigStartUp-MediaLifeService - c:\program files\Logitech\MediaLife\MediaLifeService.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {AC1F5BCF-9CD1-4470-B59A-466D6B613125} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qrbjunla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qrbjunla.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmks.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 15:35:30
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\M*a*c*h*i*n*i*s*t* *T*o*o*l*B*o*x*"!\DefaultIcon]
@="c:\\Program Files\\Machinist ToolBox\\MachinistToolBox.ico"

[HKEY_LOCAL_MACHINE\software\Classes\M*a*c*h*i*n*i*s*t* *T*o*o*l*B*o*x*"!\shell\open\command]
@="\"c:\\Program Files\\Machinist ToolBox\\Metapad\\metapad.exe\" \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-02-04 15:36:33
ComboFix-quarantined-files.txt 2009-02-04 15:36:27

Pre-Run: 74,028,445,696 bytes free
Post-Run: 74,133,565,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MS WINDOWS XP SP2/SP3 UWin Installer Edition" /noexecute=optin /fastdetect

306 --- E O F --- 2008-07-11 08:48:25

[kaptain]

It looks it is not redirecting now! How is it possible???

UPDATE:
It does redirect now, again to Removed link.

Sorry , I thought it was cured already!
Not yet there!

Edited by kahdah, 05 February 2009 - 07:09 AM.

[kahdah]

1. Please open Notepad

• Click Start , then Run
• type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
ati8bhxx
24e4571f
Viewpoint Manager Service

File::
c:\windows\system32\Drivers\ati8bhxx.sys
c:\windows\system32\drivers\24e4571f.sys

Folder::
c:\program files\Viewpoint

FireFox::
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[kaptain]

here we go:
comboxif closed everything and restarted the computer, I disabled the antivirus when he asked too:
it restored internet explorer as default browser, i changed it to Mozilla firefox myself now...


ComboFix 09-02-03.01 - Administrator 2009-02-04 18:59:08.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2644 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090203-1] *On-access scanning disabled* (Updated)
FW: ActiveArmor Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\24e4571f.sys
c:\windows\system32\Drivers\ati8bhxx.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Viewpoint\Common\VistaBoot.sdll
c:\program files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Media Player\ComponentMgr.dll
c:\program files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\SWFView.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VETScriptInterpreter.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Media Player\NewComponents\VMPVideo2.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.xpt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI8BHXX
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_24e4571f
-------\Service_ati8bhxx
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-04 12:03 . 2009-02-04 12:03 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-04 12:03 . 2009-02-04 12:03 1,409 --a------ c:\windows\QTFont.for
2009-02-03 15:37 . 2009-02-03 15:39 250 --a------ c:\windows\gmer.ini
2009-02-01 09:59 . 2009-02-01 09:59 <DIR> d-------- c:\program files\ERUNT
2009-01-31 09:26 . 2009-01-31 09:26 <DIR> d-------- c:\program files\CCleaner
2009-01-30 23:37 . 2009-01-30 23:37 <DIR> d-------- c:\documents and settings\Administrator\DoctorWeb
2009-01-30 22:13 . 2009-01-30 22:15 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-30 22:13 . 2009-01-30 22:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-30 22:13 . 2009-01-30 22:13 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-01-30 20:28 . 2009-01-30 20:28 <DIR> d-------- c:\program files\Trend Micro
2009-01-29 13:39 . 2006-08-19 13:40 135,168 --a------ c:\windows\system32\EEBAPI.dll
2009-01-29 13:39 . 2006-08-19 13:41 110,592 --a------ c:\windows\system32\EEBDSCVR.dll
2009-01-29 13:39 . 2004-11-17 15:37 69,632 --a------ c:\windows\system32\EBAPI.dll
2009-01-29 13:39 . 2006-08-17 12:31 65,536 --a------ c:\windows\system32\EEBUtil.dll
2009-01-29 13:39 . 2003-12-17 01:01 55,808 --a------ c:\windows\system32\EEBSDKIF.dll
2009-01-29 13:36 . 2009-01-29 13:36 <DIR> d-------- c:\program files\Common Files\EPSON
2009-01-29 13:36 . 2004-08-19 01:06 155,648 --a------ c:\windows\system32\EBAPI2.dll
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 12:34 . 2009-01-29 12:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-29 12:34 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 12:34 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 11:02 . 2009-01-29 11:07 2 --a------ C:\540284606
2009-01-29 11:01 . 2009-02-04 15:35 <DIR> d-------- c:\windows\system32\inf
2009-01-29 11:01 . 2009-01-29 11:01 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-28 20:05 . 2003-10-14 00:00 73,728 --a------ c:\windows\system32\EPRIPMNT.DLL
2009-01-28 20:05 . 2003-10-14 00:00 61,440 --a------ c:\windows\system32\MONINST.EXE
2009-01-28 20:05 . 2003-10-14 00:00 19,744 --a------ c:\windows\system32\drivers\EPSTNT01.SYS
2009-01-28 19:16 . 2009-01-28 19:16 5,248 --a------ c:\windows\system32\giveio.sys
2009-01-28 19:13 . 2009-02-01 11:46 <DIR> d-------- c:\program files\SSC Service Utility
2009-01-26 23:09 . 2009-01-26 23:09 <DIR> d-------- C:\EPSON
2009-01-26 23:01 . 2004-07-21 03:06 80,166 --a------ c:\windows\system32\EBPMON2.DLL
2009-01-26 23:01 . 2003-05-21 02:27 64,000 --a------ c:\windows\system32\ECBTEG.DLL
2009-01-26 23:01 . 2000-06-07 01:01 34,304 --a------ c:\windows\system32\EBPCHP.DLL
2009-01-26 22:53 . 2009-01-26 22:53 <DIR> d-------- c:\windows\EPSON PhotoStarter Essential
2009-01-26 22:52 . 2009-01-28 20:04 <DIR> d-------- c:\program files\EPSON
2009-01-26 22:52 . 2002-10-23 01:00 131,072 -ra------ c:\windows\system32\Epcmlib.dll
2009-01-26 22:50 . 2009-01-26 22:50 <DIR> d-------- c:\program files\EPSON Print CD
2009-01-26 22:50 . 2009-01-28 16:34 <DIR> d-------- c:\program files\EPSON GrayBalancer
2009-01-18 11:15 . 2009-01-18 11:15 <DIR> d-------- C:\HEX BLINK
2009-01-17 11:58 . 2009-01-17 11:58 <DIR> d-------- c:\windows\system32\AGEIA
2009-01-17 11:58 . 2009-01-17 12:00 <DIR> d-------- c:\windows\NV2003712.TMP
2009-01-17 11:58 . 2009-01-17 11:58 <DIR> d-------- c:\program files\AGEIA Technologies
2009-01-17 11:58 . 2008-12-26 00:08 206,755 --a------ c:\windows\system32\nvapps.nvb
2009-01-17 11:57 . 2009-01-17 11:57 <DIR> d-------- C:\NVIDIA
2009-01-17 11:46 . 2009-01-17 11:46 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-17 11:46 . 2009-01-17 11:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab
2009-01-16 09:20 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-16 09:20 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2009-01-16 09:20 . 2008-05-30 14:19 507,400 --a------ c:\windows\system32\XAudio2_1.dll
2009-01-16 09:20 . 2008-03-05 16:03 479,752 --a------ c:\windows\system32\XAudio2_0.dll
2009-01-16 09:20 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2009-01-16 09:20 . 2008-05-30 14:18 238,088 --a------ c:\windows\system32\xactengine3_1.dll
2009-01-16 09:20 . 2008-03-05 16:03 238,088 --a------ c:\windows\system32\xactengine3_0.dll
2009-01-16 09:20 . 2008-05-30 14:17 65,032 --a------ c:\windows\system32\XAPOFX1_0.dll
2009-01-16 09:20 . 2008-05-30 14:17 25,608 --a------ c:\windows\system32\X3DAudio1_4.dll
2009-01-16 09:20 . 2008-03-05 16:00 25,608 --a------ c:\windows\system32\X3DAudio1_3.dll
2009-01-16 09:19 . 2009-01-16 09:19 <DIR> d-------- c:\windows\system32\drivers\umdf
2009-01-16 09:19 . 2009-01-16 09:19 <DIR> d-------- c:\windows\Logs
2009-01-16 09:18 . 2009-01-16 09:18 <DIR> d-------- c:\windows\system32\xlive
2009-01-16 09:18 . 2009-01-16 16:09 <DIR> d-------- c:\program files\Microsoft Games for Windows - LIVE
2009-01-16 09:18 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\D3DX9_37.dll
2009-01-16 09:18 . 2008-03-05 15:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2009-01-16 09:18 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2009-01-16 00:58 . 2009-01-16 00:58 <DIR> d-------- c:\program files\MSBuild
2009-01-16 00:56 . 2009-01-16 00:56 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-16 00:56 . 2009-01-16 00:56 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-16 00:55 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-16 00:54 . 2009-01-16 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2009-01-16 00:53 . 2009-01-16 00:53 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-01-16 00:53 . 2009-01-16 00:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-16 00:52 . 2009-01-16 00:54 <DIR> d-------- c:\documents and settings\Administrator\Application Data\DAEMON Tools Lite
2009-01-14 14:53 . 2009-01-14 15:13 <DIR> dr-h----- c:\documents and settings\Administrator\Application Data\Microchip
2009-01-14 14:24 . 2009-01-15 11:13 <DIR> d-------- c:\program files\Microchip
2009-01-14 14:15 . 2009-01-14 14:15 <DIR> d-------- c:\program files\Mikroelektronika
2009-01-10 22:25 . 2009-01-10 22:25 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Foxit
2009-01-10 20:46 . 2009-01-10 20:46 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nitro PDF
2009-01-10 20:45 . 2009-01-10 20:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-01-10 17:52 . 2009-01-15 18:55 <DIR> d-------- C:\PBP
2009-01-10 17:50 . 2009-01-10 17:50 <DIR> d-------- c:\program files\PIC18 Simulator IDE
2009-01-10 17:48 . 2009-01-10 17:48 <DIR> d-------- c:\program files\PIC Simulator IDE
2009-01-08 23:12 . 2009-01-15 18:54 <DIR> d-------- C:\Pk2 Lessons
2009-01-08 18:51 . 2009-01-08 18:51 21 --a------ c:\windows\Picasa.ini
2009-01-08 15:24 . 2009-01-08 15:24 <DIR> d-------- c:\program files\Active ShutDown
2009-01-08 15:24 . 1999-12-17 10:13 49,664 --a------ c:\windows\unvise32.exe
2009-01-05 22:33 . 2009-01-05 22:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2009-01-05 16:14 . 2009-01-10 22:25 <DIR> d-------- c:\program files\Foxit Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 19:03 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-02-04 19:02 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-02-04 18:59 --------- d-----w c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-02-04 17:53 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-04 17:46 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2009-02-04 16:47 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-04 14:43 --------- d-----w c:\documents and settings\Administrator\Application Data\Corel
2009-02-04 11:46 2,516 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-02-03 09:26 --------- d-----w c:\program files\WinTV
2009-01-31 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-30 22:08 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-30 20:46 --------- d-----w c:\program files\YPOPs
2009-01-30 20:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 20:43 --------- d-----w c:\program files\Logitech
2009-01-30 20:43 --------- d-----w c:\documents and settings\All Users\Application Data\MediaLife
2009-01-29 13:26 --------- d-----w c:\program files\Machinist ToolBox
2009-01-29 11:12 --------- d-----w c:\program files\MagicISO
2009-01-16 00:54 --------- d-----w c:\documents and settings\Administrator\Application Data\DAEMON Tools
2009-01-08 18:21 --------- d-----w c:\program files\eagle4.16
2009-01-03 13:55 --------- d-----w c:\program files\Google
2008-12-28 14:11 --------- d-----w c:\program files\Common Files\Intel
2008-12-26 00:08 6,301,344 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-12-25 11:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-25 09:52 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-25 09:51 --------- d-----w c:\program files\Lavasoft
2008-12-20 11:17 --------- d-----w c:\program files\UltraVNC
2008-12-18 14:22 --------- d-----w c:\program files\Common Files\Adobe
2008-12-08 09:08 --------- d-----w c:\program files\Java
2008-12-06 22:53 --------- d-----w c:\program files\Skype
2008-09-20 16:29 8 --sh--r c:\documents and settings\All Users\Application Data\F5B9E44F42.sys
2008-03-06 21:15 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-03-05 11:28 22,328 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2008-03-05 11:21 103,736 ----a-w c:\documents and settings\Administrator\Application Data\PnkBstrB.exe
2007-11-08 14:39 827,392 ----a-w c:\program files\mozilla firefox\plugins\libeay32.dll
2007-11-08 14:39 159,744 ----a-w c:\program files\mozilla firefox\plugins\ssleay32.dll
2006-01-23 05:02 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2006-06-07 09:10 132,848 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2002-04-16 10:27 5 --sha-w c:\windows\system32\CdI5T.drv
2008-09-17 22:10 88 --sh--r c:\windows\system32\F5B9E44F42.sys
2008-02-12 09:29 54,898 --sh--r c:\windows\system32\javaupd.exe
.

((((((((((((((((((((((((((((( snapshot@2009-02-04_15.35.46.68 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-04\ERDNT.EXE
+ 2009-02-04 19:02:21 12,070,912 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-04\Users\00000001\NTUSER.DAT
+ 2009-02-04 19:02:22 217,088 ----a-w c:\windows\ERDNT\AutoBackup\2009-02-04\Users\00000002\UsrClass.dat
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-04 19:01:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4c8.dat
+ 2009-02-04 19:01:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-01-09 270128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-02-12 15360]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-30 1809648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-08 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"WinVNC"="c:\program files\UltraVNC\WinVNC.exe" [2006-06-18 712704]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"SSC Service Utility"="c:\program files\SSC Service Utility\ssc_serv.exe" [2007-10-09 665600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-02-12 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Active ShutDown.lnk - c:\program files\Active ShutDown\asd.exe [5/22/2001 4:10:14 PM 240128]
Anapod Manager.lnk - c:\program files\Red Chair Software\Anapod Explorer\anamgr.exe [3/4/2006 2:41:40 AM 1038848]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [10/20/2005 12:04:08 PM 38912]
Miranda IM.lnk - c:\program files\Miranda IM\miranda32.exe [6/2/2008 3:12:46 AM 557652]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [1/29/2009 1:36:29 PM 131584]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2/27/2008 11:24:50 AM 450560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codec"= l3codecp.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^YPOPs.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\YPOPs.lnk
backup=c:\windows\pss\YPOPs.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SJphone 1.65.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SJphone 1.65.lnk
backup=c:\windows\pss\SJphone 1.65.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Miranda IM\\miranda32.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SJphone 1.65\\SJphone.exe"=
"c:\\Program Files\\VoipDiscount.com\\VoipDiscount\\VoipDiscount.exe"=
"c:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"f:\\4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"f:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"f:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\EPSON\\PS Server\\EPSON PS Server.exe"=
"c:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"6882:TCP"= 6882:TCP:*:Disabled:72.20.34.145

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/9/2008 7:10:01 AM 111184]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/4/2008 1:50:04 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50:02 PM 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/9/2008 7:10:01 AM 20560]
R2 MLPTDR_N;MLPTDR_N;c:\windows\system32\MLPTDR_N.SYS [2/10/2008 11:25:58 AM 18848]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [12/20/2008 10:26:38 AM 6016]
R3 Mach3;Mach3 Pulseing Service;c:\windows\system32\drivers\Mach3.sys [9/8/2008 8:23:29 PM 103040]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50:06 PM 7408]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [2/27/2008 3:12:00 PM 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-03 13:53]

2009-01-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-ati8bhxx.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
TCP: {AC1F5BCF-9CD1-4470-B59A-466D6B613125} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qrbjunla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\qrbjunla.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1441.4352\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmks.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 19:03:27
Windows 5.1.2600 Service Pack 3, v.3311 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\M*a*c*h*i*n*i*s*t* *T*o*o*l*B*o*x*"!\DefaultIcon]
@="c:\\Program Files\\Machinist ToolBox\\MachinistToolBox.ico"

[HKEY_LOCAL_MACHINE\software\Classes\M*a*c*h*i*n*i*s*t* *T*o*o*l*B*o*x*"!\shell\open\command]
@="\"c:\\Program Files\\Machinist ToolBox\\Metapad\\metapad.exe\" \"%1\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-04 19:06:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 19:06:17
ComboFix2.txt 2009-02-04 15:36:33

Pre-Run: 74,115,125,248 bytes free
Post-Run: 73,965,170,688 bytes free

341 --- E O F --- 2008-07-11 08:48:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:30, on 04/02/2009
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3311)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC1F5BCF-9CD1-4470-B59A-466D6B613125}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mss.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 7540 bytes


NOTE:when i did the search in mozilla google window: best budget ink epson 2100 2200
this page showed, that's fine:
http://www.google.co...c...art=10&sa=N

but when i used 3 upper links it redirected
http://www.cartridge...Cartridges.html to http://www.blinkx.co...1...0-404-2&p=1
http://www.comparein...uct.aspx?id=330 to http://7search.com/s.....I1x7MGeOSG5A=
and
http://www.cartridge...dges/Epson.html to http://www.kdirector...mp;bp=epson ink

sometimes it doesn't, sometimes it does change my links!
UPDATE:
it seems to change my links after i reboot , and i think it may be VNC culprit!
kaspersky said it was a virus but as a description it said this is not a virus but remote access so i ignored it but now when i switched it off it doesn't seem to redirect!
I need to test this more though...
NO...it is not that simple.
I opened mozilla and did google search epson and opened first 4 links in new tabs....ALL fine..., closed tabs, closed mozilla, opened mozilla again and again did epson searchg and opened 4 windows, now all 4 were BAD redirected pages!
i tried closing VNC and opening VNC and doing the test again!.....no this doesn't seem to be related. ! And I thought I have found it....but I didn't again!

Edited by kaptain, 04 February 2009 - 02:48 PM.

[kahdah]

No worries we will get to the bottom of it in a bit.
DId you put VNC on your computer?
If not then remove it.
===================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

[kaptain]

I put vnc on the computer, i left it there than.
Avast detected 2 viruses one of them was javaupd or something like that so I stopped avast when running malwarebytes..it was triggering false positives.

Malwarebytes' Anti-Malware 1.33
Database version: 1731
Windows 5.1.2600 Service Pack 3, v.3311

05/02/2009 14:14:23
mbam-log-2009-02-05 (14-14-23).txt

Scan type: Quick Scan
Objects scanned: 52359
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[kahdah]

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

[kaptain]

GooredFix v1.83 by jpshortstuff
Log created at 14:43 on 05/02/2009 running Option #1 (Administrator)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[kahdah]

Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

=========
After that reboot and let me know if the redirects are still present.

If they are then do the following:
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.