Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Malicious Page Redirects from Google searches [Solved]

Started by Wasuremono , May 04 2009 01:13 PM

This topic is locked

#16
heir

Posted 07 May 2009 - 03:49 PM

Trusted Helper

Malware Removal
5,427 posts

Looks as you have a goored-infection

Please double-click GooredFix.exe on your Desktop to run it.

Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Are you being redirected now?

Could you please zip the content of this folder C:\windows\Minidump and attach that in your reply

Edited by heir, 07 May 2009 - 06:05 PM.
added zip instruction

#17
Wasuremono

Posted 07 May 2009 - 06:39 PM

Member

Topic Starter
Member
18 posts

Goored Log
GooredFix v1.92 by jpshortstuff
Log created at 20:06 on 07/05/2009 running Option #2 (Hans)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{E4C8AA37-BB6A-42D5-932F-6BB3C93A5A26}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{B4F5D33D-8602-42A1-9CF7-C179BF5DE8DA}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{8DC09C02-327A-42B7-99B4-D1778E59D825}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{40104CE3-27EC-42BC-BC88-08DC4D62505C}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{360BBE0D-A329-4B69-A105-BB5001FF657A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
C:\Program Files\Mozilla Firefox\extensions\{23DBE842-01F7-4E18-AF18-C8A1BD9D8CF9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

Hmm... well, it seems safe to say I am no longer being redirected. Thank you!

So, how were you able to figure out the problem? Was it just guesswork until the first Goored scan came back with some telling results? I'm curious because it would be nice to learn some of these techniques on my own, and perhaps be more useful in the future. Any good places to learn?

Also, what do you think was the probable cause of this goored thing? I guess I actually had a whole bunch of things on my computer... as I mentioned originally: trojans, viruses, etc. I guess I don't entirely understand how these things get in. I kinda always thought you would have to run some .exe on accident. Or is it that things like pdfs, video files, etc, can all be potentially dangerous? I've never really gotten any sort of infection this bad in the past, and I'm wondering what happened differently this time. I'm on a network with 5 other guys, my roommates, how big of a threat is there from that?

Once again, thank you! Is there anything else I should do? I guess at this point I'm assuming everything is gone...

Attached Files

Minidump.zip 34.96KB 156 downloads

#18
heir

Posted 07 May 2009 - 06:55 PM

Trusted Helper

Malware Removal
5,427 posts

So, how were you able to figure out the problem? Was it just guesswork until the first Goored scan came back with some telling results? I'm curious because it would be nice to learn some of these techniques on my own, and perhaps be more useful in the future. Any good places to learn?

There isn't a tool that detects and fixes everything. Symptoms and experience from the trade makes you chose what tools to use. There is a great place here with highly reputable teachers GeekU. Just follow the links to find out more.

Also, what do you think was the probable cause of this goored thing? I guess I actually had a whole bunch of things on my computer... as I mentioned originally: trojans, viruses, etc. I guess I don't entirely understand how these things get in. I kinda always thought you would have to run some .exe on accident. Or is it that things like pdfs, video files, etc, can all be potentially dangerous? I've never really gotten any sort of infection this bad in the past, and I'm wondering what happened differently this time. I'm on a network with 5 other guys, my roommates, how big of a threat is there from that?

Me myself isn't that experienced yet that I specifically can tell you where you got the infection from. There are numerous of different ways you can get infected nowadays. When sharing a network with others there is always a potential risk to get infected as malware can jump from machine to machine. It all depends on how your network are secured and what precautions the users on the network are taking to reduce the risk off getting infected. By the end of this thread at least you'll have an adequate precautions to reduce the risk off getting infected again.

Thanks for uploading that information

Once again, thank you! Is there anything else I should do? I guess at this point I'm assuming everything is gone...

I always try to remove as much as possible when we are at it so let's do a couple of scans.

Step 1.
Clean temp locations:

Please download ATF Cleaner by Atribune.
Caution: This program is for Windows 2000, XP and Vista onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3.
Scan with Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.

Upgrading Java:

Posted Image

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

Step 4.
Things I would like to see in your reply:

The content of the report from MBAM from Step 2.
The content of the report from Kaspersky Online Scanner from Step 3.

#19
Wasuremono

Posted 09 May 2009 - 01:01 AM

Member

Topic Starter
Member
18 posts

Sorry for the delay...

Malwarebytes' Anti-Malware 1.36
Database version: 2090
Windows 5.1.2600 Service Pack 3

5/9/2009 3:00:23 AM
mbam-log-2009-05-09 (03-00-23).txt

Scan type: Quick Scan
Objects scanned: 94434
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, May 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 08, 2009 22:12:31
Records in database: 2146873
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 241116
Threat name: 1
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:45:21

File name / Threat name / Threats count
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a01920 Infected: not-a-virus:PSWTool.Win32.RAS.a 2
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a02908 Infected: not-a-virus:PSWTool.Win32.RAS.a 2

The selected area was scanned.

#20
Wasuremono

Posted 09 May 2009 - 01:02 AM

Member

Topic Starter
Member
18 posts

#21
Wasuremono

Posted 09 May 2009 - 01:03 AM

Member

Topic Starter
Member
18 posts

#22
Wasuremono

Posted 09 May 2009 - 01:05 AM

Member

Topic Starter
Member
18 posts

#23
Wasuremono

Posted 09 May 2009 - 01:07 AM

Member

Topic Starter
Member
18 posts

#24
Wasuremono

Posted 09 May 2009 - 01:17 AM

Member

Topic Starter
Member
18 posts

What the heck? I've never had so much as a double post in my life, and if my eyes aren't deceiving me it looks like I just posted a whole lot of times in a row? Just when I think maybe my computer is clean, something strange like this happens.

#25
heir

Posted 09 May 2009 - 08:37 AM

Trusted Helper

Malware Removal
5,427 posts

The double posting happens sometimes (during backup hours). I'll have someone fix that.

Let's remove what Kaspersky found.

Run OTListIt2.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
:Files
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a01920
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a02908
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post the OTL2 fixlog

How is your computer running now?
A last check on how your computer is running before the housekeeping.

#26
Wasuremono

Posted 09 May 2009 - 04:05 PM

Member

Topic Starter
Member
18 posts

It seems to be running well. Did that last step fix another problem?

Here is the log:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a01920 moved successfully.
C:\Documents and Settings\Hans\.housecall6.6\Quarantine\keyfinder.exe.bac_a02908 moved successfully.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Arj.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\avlib.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Avp1.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\AvpMgr.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\btimages.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\CAB.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\dmap.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\dtreg.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FSSync.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HashCont.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HashMD5.PPL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HCCMP.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\ichk2.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\iChkSA.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Inflate.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\IWGen.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kave.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kosglue-7.0.26.0.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\lha.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\L_llio.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\mdb.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MDMAP.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MemModSc.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MemScan.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\minizip.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MKavIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\msoe.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\nfio.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\NTFSstrm.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prKernel.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prLoader.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prseqio.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\PrUtil.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Quantum.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\rar.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\ScanningProcess.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\sfdb.PPL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\TempFile.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\thpimpl.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UniArc.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UnLZX.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UnStored.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\WDiskIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2196 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2788 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2808 scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\etilqs_Hc8ddj1Kwq5iP5MMU0Lo scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\fla2AC.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\flaCE.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Hans\Local Settings\temp\~DFD62E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_28c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_740.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Hans\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-67a17151 scheduled to be deleted on reboot.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.3 log created on 05092009_143233

Files moved on Reboot...
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Arj.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\avlib.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Avp1.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\AvpMgr.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\btimages.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\CAB.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\dmap.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\dtreg.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FsDrvPlg.ppl moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FSSync.dll
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FSSync.dll NOT unregistered.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\FSSync.dll moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HashCont.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HashMD5.PPL moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\HCCMP.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\ichk2.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\iChkSA.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Inflate.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\IWGen.ppl moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kave.dll
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kave.dll NOT unregistered.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kave.dll moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kosglue-7.0.26.0.dll
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kosglue-7.0.26.0.dll NOT unregistered.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\kosglue-7.0.26.0.dll moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\lha.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\L_llio.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\mdb.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MDMAP.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MemModSc.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MemScan.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\minizip.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\MKavIO.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\msoe.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\nfio.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\NTFSstrm.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prKernel.ppl moved successfully.
DllUnregisterServer procedure not found in C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prLoader.dll
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prLoader.dll NOT unregistered.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prLoader.dll moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\prseqio.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\PrUtil.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\Quantum.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\rar.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\ScanningProcess.exe moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\sfdb.PPL moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\TempFile.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\thpimpl.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UniArc.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UnLZX.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\UnStored.ppl moved successfully.
C:\Documents and Settings\Hans\Local Settings\temp\jkos-Hans\binaries\WDiskIO.ppl moved successfully.
File C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2196 not found!
File C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2788 not found!
File C:\Documents and Settings\Hans\Local Settings\temp\hsperfdata_Hans\2808 not found!
File C:\Documents and Settings\Hans\Local Settings\temp\etilqs_Hc8ddj1Kwq5iP5MMU0Lo not found!
File C:\Documents and Settings\Hans\Local Settings\temp\fla2AC.tmp not found!
File C:\Documents and Settings\Hans\Local Settings\temp\flaCE.tmp not found!
C:\Documents and Settings\Hans\Local Settings\temp\~DFD62E.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_28c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_740.dat not found!
C:\Documents and Settings\Hans\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-67a17151 moved successfully.

Registry entries deleted on Reboot...

#27
heir

Posted 10 May 2009 - 01:58 AM

Trusted Helper

Malware Removal
5,427 posts

It seems to be running well. Did that last step fix another problem?

No that was just quarantined objects that was removed.

There is this strange entry in one of the logs that still puzzles me, and that I'd like to check a bit more.
We're going to give RootRepeal an other try. Read all the instructions before you run the scan as there is an alternative if it crashes again.

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

If RootRepeal crashes then start root repeal again
then got menu Settings - Options. A window will open.
On the General tab move the slider to the middle position (middle level)
Close the Options window and run the scan in the settings as above again.

#28
Wasuremono

Posted 10 May 2009 - 01:22 PM

Member

Topic Starter
Member
18 posts

My computer crashed again, so I changed it to the "middle" setting and that worked.

Here is the log:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/10 14:24
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_CLASSPNP.SYS
Address: 0xB8A34000 Size: 53248 File Visible: No
Status: -

Name: dump_nvraid.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvraid.sys
Address: 0xB0D2B000 Size: 86016 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEA21000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Temp\Perflib_Perfdata_54c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 8192, Raw: 4096)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fe2a0

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc36b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd7c2

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fde5c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc3574

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd51c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14ff776

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fe486

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd0ea

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fe6d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc3a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc314c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14ff3f8

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fda46

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fe094

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc364e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc308c

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fdcd6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc30f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc376e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fee30

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd63a

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc372e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14ff194

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14ff5a6

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb0dc38ae

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd9e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fdbca

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb1108df0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xb14fd2b4

#29
heir

Posted 10 May 2009 - 01:51 PM

Trusted Helper

Malware Removal
5,427 posts

There is a suspected entry in the combofix log from earlier
I would like you to disable all your security programs and run ComboFix again. (It's safe as Combofix disconnect your internetconnection when it runs. Just re-enable them after the scan is completed

Disable your Firewall, AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#30
Wasuremono

Posted 10 May 2009 - 03:01 PM

Member

Topic Starter
Member
18 posts

ComboFix 09-05-05.03 - Hans 05/10/2009 16:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2219 [GMT -4:00]
Running from: c:\documents and settings\Hans\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090509-0] *On-access scanning disabled* (Updated)
FW: COMODO Firewall *enabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-10 19:28 . 2009-05-10 20:56 -------- d-----w c:\documents and settings\Hans\Local Settings\Application Data\FullTiltPoker
2009-05-06 21:21 . 2009-05-06 21:21 -------- d-----w C:\_OTListIt
2009-05-05 22:04 . 2009-05-09 21:29 -------- d-----w C:\Lop SD
2009-05-05 21:46 . 2009-05-05 21:46 -------- d--h--w c:\windows\PIF
2009-05-04 20:56 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-04 20:55 . 2009-05-04 20:55 -------- d-----w c:\program files\Panda Security
2009-05-04 17:07 . 2009-05-04 17:07 -------- d-----w C:\Rooter$
2009-05-04 16:59 . 2009-05-04 17:00 -------- d-----w c:\program files\ERUNT
2009-05-04 07:53 . 2009-05-04 07:53 -------- d-----w c:\program files\Alwil Software
2009-05-04 07:07 . 2009-05-04 13:45 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-04 07:07 . 2009-05-04 07:07 155384 ----a-w c:\windows\system32\guard32.dll
2009-05-04 07:07 . 2009-05-04 07:07 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-04 07:07 . 2009-05-04 07:07 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-04 07:07 . 2009-05-04 07:07 -------- d-----w c:\program files\COMODO
2009-05-04 06:58 . 2009-05-06 01:29 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-04 06:58 . 2009-05-04 07:01 -------- d-----w c:\program files\SpywareBlaster
2009-05-04 06:28 . 2009-05-04 06:28 -------- d-----w c:\windows\system32\scripting
2009-05-04 06:28 . 2009-05-04 06:28 -------- d-----w c:\windows\l2schemas
2009-05-04 06:28 . 2009-05-04 06:28 -------- d-----w c:\windows\system32\en
2009-05-04 06:28 . 2009-05-04 06:28 -------- d-----w c:\windows\system32\bits
2009-05-04 06:27 . 2009-05-04 06:28 -------- d-----w c:\windows\ServicePackFiles
2009-05-04 04:31 . 2009-05-04 04:31 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-04 04:19 . 2009-05-04 04:19 -------- d-----w c:\documents and settings\Hans\Application Data\SUPERAntiSpyware.com
2009-05-04 04:03 . 2009-05-04 04:02 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-03 18:49 . 2009-05-04 06:04 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-03 18:43 . 2009-05-03 18:43 -------- d-----w c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-05-03 18:25 . 2009-05-03 18:25 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 21:38 . 2009-05-01 21:38 -------- d-----w c:\windows\system32\NtmsData
2009-05-01 21:12 . 2009-05-01 21:12 -------- d-----w c:\documents and settings\Hans\Application Data\Malwarebytes
2009-05-01 21:12 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 21:12 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 21:12 . 2009-05-01 21:12 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 21:12 . 2009-05-01 21:12 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 21:00 . 2009-05-01 21:00 -------- d-----w C:\VundoFix Backups
2009-05-01 21:00 . 2009-05-01 21:00 -------- d-----w c:\program files\Storm
2009-05-01 20:59 . 2009-05-01 20:59 -------- d-----w c:\program files\Microsoft XNA
2009-05-01 06:24 . 2009-05-03 19:01 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-14 08:18 . 2009-04-14 08:18 25992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-04-14 02:50 . 2009-04-16 16:00 -------- d-----w c:\program files\Prevx
2009-04-14 02:24 . 2009-04-14 02:24 -------- d-----w c:\program files\Trend Micro
2009-04-14 01:58 . 2009-04-14 01:58 -------- d-----w c:\documents and settings\All Users\Application Data\Uniblue
2009-04-14 00:25 . 2009-04-14 04:53 0 ----a-w c:\windows\Isarafawinaqafo.bin
2009-04-14 00:25 . 2009-04-14 04:57 -------- d-----w c:\documents and settings\Hans\Local Settings\Application Data\{34DD23EC-0F88-40BD-B641-9B944710EB34}(2)
2009-04-14 00:25 . 2009-04-14 02:58 408 ----a-w c:\windows\Kkozu.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 20:56 . 2007-10-26 22:47 -------- d-----w c:\program files\Full Tilt Poker
2009-05-06 22:06 . 2007-06-08 17:32 -------- d-----w c:\program files\uTorrent
2009-05-06 21:07 . 2007-06-19 16:47 -------- d-----w c:\program files\Java
2009-05-04 07:21 . 2007-02-10 20:24 115600 ----a-w c:\documents and settings\Hans\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-04 06:29 . 2007-02-01 03:10 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-04 06:09 . 2008-12-24 03:20 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-04 04:17 . 2007-05-26 03:09 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-03 19:01 . 2007-09-12 13:37 -------- d-----w c:\program files\Lavasoft
2009-04-16 16:00 . 2007-08-24 19:13 -------- d-----w c:\program files\IrfanView
2009-04-14 01:52 . 2008-10-07 04:28 -------- d-----w c:\program files\Uniblue
2009-03-30 05:30 . 2008-08-24 12:00 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-08 09:24 . 2008-10-26 09:16 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-03-08 09:24 . 2008-10-26 09:16 110592 ----a-w c:\windows\system32\OpenAL32.dll
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2006-02-28 12:00 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-02-28 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 07:10 . 2009-02-18 07:10 25280 ----a-w c:\windows\system32\drivers\hamachi.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-05_21.56.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-10 18:16 . 2009-05-10 18:16 16384 c:\windows\Temp\Perflib_Perfdata_54c.dat
+ 2009-05-10 18:15 . 2009-05-10 18:15 16384 c:\windows\Temp\Perflib_Perfdata_288.dat
+ 2009-05-09 18:36 . 2009-05-09 18:36 204800 c:\windows\ERDNT\AutoBackup\5-9-2009\Users\00000002\UsrClass.dat
+ 2009-05-09 18:36 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-9-2009\ERDNT.EXE
+ 2009-05-07 06:04 . 2009-05-07 06:04 204800 c:\windows\ERDNT\AutoBackup\5-7-2009\Users\00000002\UsrClass.dat
+ 2009-05-07 06:04 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-7-2009\ERDNT.EXE
+ 2009-05-06 21:34 . 2009-05-06 21:34 204800 c:\windows\ERDNT\AutoBackup\5-6-2009\Users\00000002\UsrClass.dat
+ 2009-05-06 21:34 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\5-6-2009\ERDNT.EXE
+ 2009-05-09 18:36 . 2009-05-09 18:36 9076736 c:\windows\ERDNT\AutoBackup\5-9-2009\Users\00000001\ntuser.dat
+ 2009-05-07 06:04 . 2009-05-07 06:04 9039872 c:\windows\ERDNT\AutoBackup\5-7-2009\Users\00000001\ntuser.dat
+ 2009-05-06 21:34 . 2009-05-06 21:34 9039872 c:\windows\ERDNT\AutoBackup\5-6-2009\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-12-31 67128]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2006-04-07 135168]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2004-06-15 200704]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"sealmon"="c:\program files\SealedMedia\sealmon.exe" [2007-06-04 296080]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-05-04 1851128]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-04 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-27 16208384]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\documents and settings\Hans\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter SoftAP\Installer\WINXP\RaUI.exe [2007-1-31 720896]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-31 67128]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-31 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\unreal tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\InterVideo\\DeviceService\\DevSvc.exe"=
"c:\\Program Files\\Valve\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2009 4:56 PM 28544]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/4/2009 3:53 AM 114768]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [5/4/2009 3:07 AM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [5/4/2009 3:07 AM 24336]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/4/2009 3:53 AM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [2/1/2007 10:21 PM 14095]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [8/26/2008 6:44 PM 163840]
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [9/12/2007 8:55 AM 336256]

--- Other Services/Drivers In Memory ---

*Deregistered* - MarkFun_NT
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 19:42]

2009-04-14 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-10-07 13:03]

2009-05-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Hans\Application Data\Mozilla\Firefox\Profiles\ymj6zi6x.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 16:57
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Funk Software\Odyssey Client\odLogin.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'lsass.exe'(1164)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(412)
c:\windows\system32\guard32.dll
c:\program files\RocketDock\RocketDock.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-10 16:58
ComboFix-quarantined-files.txt 2009-05-10 20:58
ComboFix2.txt 2009-05-05 22:00

Pre-Run: 218,059,894,784 bytes free
Post-Run: 218,052,259,840 bytes free

231 --- E O F --- 2009-05-05 07:00