Help - Search - Members - Calendar
Full Version: Redirected on Google searches
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
alexboy
Oct 31 2009, 07:55 PM
After doing a Google search and clicking on the given links, I am often (but not always) redirected to another bogus site. A MBAM scan came back clean, and after running Spybot and allegedly "fixing" the problems it found, the Google problem persists. If anyone can help, I'd be very grateful. Here are the MBAM and HJT logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3070
Windows 5.1.2600 Service Pack 2

10/31/2009 2:17:19 PM
mbam-log-2009-10-31 (14-17-19).txt

Scan type: Quick Scan
Objects scanned: 125948
Time elapsed: 18 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:48 PM, on 10/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Documents and Settings\HP_Administrator\Desktop\yProxy.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\iexplore.exe.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238527934296
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{49E71310-75FF-497D-BECD-E9C49FE7B764}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B7B8D55-4C0A-480F-9C44-79656DC6EC28}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{0BA62877-8BEA-458E-9209-6F51E4CC697E}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1ca08a443d5b73e) (gupdate1ca08a443d5b73e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7953 bytes
alexboy
Nov 3 2009, 12:01 AM
Anyone have any ideas?
Blade81
Nov 8 2009, 03:14 PM
Hello,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


    • Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.
    alexboy
    Nov 9 2009, 12:57 AM
    Thanks for your help, I really appreciate it. I'm running the GMER scan now, and since it's taking quite a while to finish, I'm going to post the DDS and Attach logs you requested here, and when the scan finishes, I'll post it separately. Here's the DDS log:



    DDS (Ver_09-10-26.01) - NTFSx86
    Run by HP_Administrator at 16:55:26.98 on Sun 11/08/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1456 [GMT -6:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe
    C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
    C:\Documents and Settings\HP_Administrator\Desktop\yProxy.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = www.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\iexplore.exe.exe" /runcleanupscript
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    Trusted Zone: trymedia.com
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
    DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238527934296
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: {0BA62877-8BEA-458E-9209-6F51E4CC697E} = 208.67.220.220,208.67.222.222
    TCP: {49E71310-75FF-497D-BECD-E9C49FE7B764} = 208.67.220.220,208.67.222.222
    TCP: {4B7B8D55-4C0A-480F-9C44-79656DC6EC28} = 208.67.220.220,208.67.222.222
    TCP: {892900FC-9814-4488-99C0-81491C1EE93D} = 208.67.220.220,208.67.222.222
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\gs1t2cw0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
    FF - plugin: c:\documents and settings\hp_administrator\application data\move networks\plugins\npqmp071503000010.dll
    FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
    FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
    FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-9-3 108289]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2006-7-21 468768]
    S2 gupdate1ca08a443d5b73e;Google Update Service (gupdate1ca08a443d5b73e);c:\program files\google\update\GoogleUpdate.exe [2009-7-19 133104]
    S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [2008-12-28 83496]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

    ============== File Associations ===============

    JSEFile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1

    =============== Created Last 30 ================

    2009-10-23 20:47:44 0 d-----w- c:\program files\joogqs

    ==================== Find3M ====================

    2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
    2009-09-13 21:08:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2009-09-13 21:08:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
    2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\dllcache\msv1_0.dll
    2009-09-10 19:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-10 19:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
    2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\dllcache\msasn1.dll
    2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
    2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
    2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
    2008-12-17 02:16:00 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe
    2008-11-12 00:16:26 14622342 ----a-w- c:\program files\vlc-0.9.6-win32.exe
    2008-11-06 23:38:24 2078831 ----a-w- c:\program files\mplayerc_20081005.zip
    2006-08-29 23:13:44 599592 ----a-w- c:\program files\DMSetup.exe
    2006-08-28 22:40:27 13736064 ----a-w- c:\program files\GoogleEarthWin.exe
    2006-08-28 19:43:49 37518744 ----a-w- c:\program files\iTunesSetup.exe
    2006-08-28 19:33:35 5834344 ----a-w- c:\program files\winzip100.exe
    2006-08-28 02:42:33 410309 ----a-w- c:\program files\yproxy12.zip
    2006-08-28 00:39:14 198656 ----a-w- c:\program files\yproxywizard.exe
    2006-10-31 01:40:06 22 -csha-w- c:\windows\sminst\HPCD.sys

    ============= FINISH: 16:57:00.42 ===============


    And here's the Attach log:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-10-26.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/27/2006 12:58:42 PM
    System Uptime: 11/8/2009 4:07:58 PM (0 hours ago)

    Motherboard: ASUSTek Computer INC. | | Basswood
    Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz
    Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Socket 775 | 2133/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 224 GiB total, 159.803 GiB free.
    D: is FIXED (NTFS) - 233 GiB total, 20.73 GiB free.
    E: is FIXED (FAT32) - 9 GiB total, 0.389 GiB free.
    F: is CDROM ()
    G: is CDROM ()
    H: is Removable
    I: is Removable
    J: is Removable
    K: is Removable
    L: is FIXED (NTFS) - 1397 GiB total, 948.051 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 9/1/2009 10:26:14 PM - System Checkpoint
    RP2: 9/3/2009 4:55:24 PM - Installed Java™ 6 Update 15
    RP3: 9/3/2009 4:56:46 PM - Installed Java™ 6 Update 16
    RP4: 9/3/2009 9:55:22 PM - Avira AntiVir Personal - 9/3/2009 21:55
    RP5: 9/5/2009 10:20:16 AM - System Checkpoint
    RP6: 9/6/2009 3:48:57 PM - System Checkpoint
    RP7: 9/7/2009 5:13:26 PM - Installed Hearts of Iron III
    RP8: 9/7/2009 5:43:57 PM - Installed DirectX
    RP9: 9/7/2009 6:02:52 PM - Installed Hearts of Iron III
    RP10: 9/8/2009 6:16:51 PM - System Checkpoint
    RP11: 9/9/2009 7:36:54 PM - System Checkpoint
    RP12: 9/9/2009 11:06:34 PM - Software Distribution Service 3.0
    RP13: 9/11/2009 6:55:36 PM - System Checkpoint
    RP14: 9/13/2009 5:19:41 PM - System Checkpoint
    RP15: 9/14/2009 7:09:40 PM - System Checkpoint
    RP16: 9/15/2009 7:17:47 PM - System Checkpoint
    RP17: 9/16/2009 10:33:28 PM - Software Distribution Service 3.0
    RP18: 9/18/2009 7:20:21 PM - System Checkpoint
    RP19: 9/20/2009 4:55:44 PM - System Checkpoint
    RP20: 9/21/2009 7:45:26 PM - System Checkpoint
    RP21: 9/22/2009 8:35:03 PM - System Checkpoint
    RP22: 9/24/2009 1:43:59 PM - System Checkpoint
    RP23: 9/25/2009 5:40:36 PM - System Checkpoint
    RP24: 9/26/2009 5:50:40 PM - System Checkpoint
    RP25: 9/27/2009 7:06:49 PM - System Checkpoint
    RP26: 9/29/2009 5:59:46 PM - System Checkpoint
    RP27: 10/1/2009 6:27:49 PM - System Checkpoint
    RP28: 10/3/2009 8:02:22 AM - System Checkpoint
    RP29: 10/4/2009 7:06:03 PM - System Checkpoint
    RP30: 10/6/2009 4:50:37 PM - System Checkpoint
    RP31: 10/7/2009 6:57:30 PM - System Checkpoint
    RP32: 10/8/2009 7:46:58 PM - System Checkpoint
    RP33: 10/10/2009 11:22:58 AM - System Checkpoint
    RP34: 10/11/2009 5:41:07 PM - System Checkpoint
    RP35: 10/13/2009 6:18:43 PM - System Checkpoint
    RP36: 10/13/2009 10:50:20 PM - Software Distribution Service 3.0
    RP37: 10/15/2009 7:02:41 PM - System Checkpoint
    RP38: 10/16/2009 7:15:06 PM - System Checkpoint
    RP39: 10/18/2009 2:12:45 AM - System Checkpoint
    RP40: 10/19/2009 6:53:35 PM - System Checkpoint
    RP41: 10/20/2009 8:21:54 PM - System Checkpoint
    RP42: 10/22/2009 1:42:10 PM - System Checkpoint
    RP43: 10/23/2009 6:24:13 PM - System Checkpoint
    RP44: 10/25/2009 7:40:17 PM - System Checkpoint
    RP45: 10/27/2009 8:06:20 PM - System Checkpoint
    RP46: 10/29/2009 12:51:08 PM - System Checkpoint
    RP47: 10/30/2009 1:38:11 PM - System Checkpoint
    RP48: 10/31/2009 5:55:20 PM - System Checkpoint
    RP49: 11/1/2009 7:09:22 PM - System Checkpoint
    RP50: 11/2/2009 8:17:37 PM - System Checkpoint
    RP51: 11/4/2009 8:09:44 PM - System Checkpoint
    RP52: 11/4/2009 11:47:47 PM - Software Distribution Service 3.0
    RP53: 11/7/2009 8:52:05 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.9
    Apple Mobile Device Support
    Apple Software Update
    AutoUpdate
    Avira AntiVir Personal - Free Antivirus
    BitTornado 0.3.7
    Bonjour
    BufferChm
    Combined Community Codec Pack 2006-05-01 (Remove Only)
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    Customer Experience Enhancement
    Data Fax SoftModem with SmartCP
    Destinations
    DeviceManagementQFolder
    DISCover
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Web Player
    Doomsday
    Easy Internet Sign-up
    Empire: Total War
    Enhanced Multimedia Keyboard Solution
    FLV Player 2.0 (build 25)
    FullDPAppQFolder
    GemMaster Mystic
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    Hearts of Iron III
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows Media Player 10 (KB910393)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB888795)
    Hotfix for Windows XP (KB891593)
    Hotfix for Windows XP (KB893357)
    Hotfix for Windows XP (KB895961)
    Hotfix for Windows XP (KB899337)
    Hotfix for Windows XP (KB899510)
    Hotfix for Windows XP (KB902841)
    Hotfix for Windows XP (KB906569)
    Hotfix for Windows XP (KB912024)
    Hotfix for Windows XP (KB918766)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    HP Boot Optimizer
    HP DigitalMedia Archive
    HP DVD Play 2.1
    HP Imaging Device Functions 7.0
    HP Photosmart for Media Center PC
    HP Photosmart Premier Software 6.5
    HP Update
    HP Web Helper
    HPPhotoSmartExpress
    HpSdpAppCoreApp
    InstantShareDevices
    Intel® Matrix Storage Manager
    Intel® PRO Network Connections Drivers
    Intel® Quick Resume Technology Drivers
    Intel® Viiv™ Software
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java™ 6 Update 16
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    LightScribe 1.4.105.1
    Malwarebytes' Anti-Malware
    MasterSplitter Program
    Matrix-ks
    Microsoft .NET Framework 1.0 Hotfix (KB887998)
    Microsoft .NET Framework 1.0 Hotfix (KB930494)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Age of Empires
    Microsoft Age of Empires Expansion
    Microsoft Age of Empires II
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Money 2006
    Microsoft Office Standard Edition 2003 60 days trial
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Works
    Move Media Player
    Mozilla Firefox (3.5.2)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6 Service Pack 2 (KB954459)
    muvee autoProducer 5.0
    muvee autoProducer unPlugged 2.0
    NVIDIA Drivers
    OpenOffice.org Installer 1.0
    OptionalContentQFolder
    Otto
    PC-Doctor 5 for Windows
    PhotoGallery
    Pixia
    Player
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2006
    QuickPar 0.9
    QuickTime
    RandMap
    RealPlayer
    Realtek High Definition Audio Driver
    Seagate Manager Installer
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB947864)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    SkinsHP1
    SlideShow
    SlideShowMusic
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    Spybot - Search & Destroy
    Steam
    SUPERAntiSpyware Free Edition
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB912945)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    Updates from HP (remove only)
    VLC media player 0.9.4
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB883667
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB892050
    Windows XP Hotfix - KB893066
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB925766
    Windows XP Media Center Edition 2005 KB973768
    WinRAR archiver
    WinZip
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    11/4/2009 5:21:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ftsata2

    ==== End Of File ===========================


    alexboy
    Nov 9 2009, 02:31 AM
    Here's the scan results:

    GMER 1.0.15.15163 - http://www.gmer.net
    Rootkit scan 2009-11-08 20:28:46
    Windows 5.1.2600 Service Pack 2
    Running: 7brderby.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafob.sys


    ---- System - GMER 1.0.15 ----

    SSDT BAFE05E6 ZwCreateKey
    SSDT BAFE05DC ZwCreateThread
    SSDT BAFE05EB ZwDeleteKey
    SSDT BAFE05F5 ZwDeleteValueKey
    SSDT BAFE05FA ZwLoadKey
    SSDT BAFE05C8 ZwOpenProcess
    SSDT BAFE05CD ZwOpenThread
    SSDT BAFE0604 ZwReplaceKey
    SSDT BAFE05FF ZwRestoreKey
    SSDT BAFE05F0 ZwSetValueKey
    SSDT BAFE05D7 ZwTerminateProcess

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[584] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!UnhookWindowsHookEx 7E41F21E 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!CallNextHookEx 7E41F85B 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!SetWindowsHookExW 7E42DDB5 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[2980] ole32.dll!OleLoadFromStream 7752A257 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!CreateWindowExW 7E41FC25 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\internet explorer\iexplore.exe[3072] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\internet explorer\iexplore.exe[584] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\internet explorer\iexplore.exe[2980] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Elkbd.sys (Intel Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\F6MV0AIB\style[2].css 6242 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\F6MV0AIB\th_70658_x2_123_351lo[1].jpg 0 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\K3XU48E3\t[2].gif 49 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\MEQWD10N\viewtopic[1].htm 0 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\TFTQK6RI\viewtopic[1].htm 76615 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\TFTQK6RI\th_30591_2008_07_07_4900yummz_0_123_643lo[1].jpg 0 bytes
    File C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\TP26BI2V\th_31915_2008_07_14_4944chic_2_123_984lo[1].jpg 0 bytes

    ---- EOF - GMER 1.0.15 ----
    Blade81
    Nov 9 2009, 07:52 AM
    Hi,

    BitTornado

    Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


    Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
    • Run Spybot-S&D in Advanced Mode
    • If it is not already set to do this, go to the Mode menu
      select
      Advanced Mode
    • On the left hand side, click on Tools
    • Then click on the Resident icon in the list
    • Uncheck
      Resident TeaTimer
       and OK any prompts.
    • Restart your computer



    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds log.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    alexboy
    Nov 10 2009, 04:50 AM
    OK, running Combofix seems to have crashed my system. It detected rootkit activity and had to reboot, but Windows could not restart from any mode I attempted. I had to use system recovery to get it to reboot, and that in itself seems to have solved my Google issue. Now I just need to restore my settings over the next few days.
    Blade81
    Nov 10 2009, 06:56 AM
    Sorry to hear that. Did you try last known good configuration too?
    alexboy
    Nov 11 2009, 12:55 AM
    Yes, I tried every option I was given, and Windows simply would not boot. I didn't see another option other than to use system recovery. Everything seems to be working fine now, but I have a few days of updating ahead of me. Thanks for your assistance, I think this thread can be locked unless you have anything else.
    Blade81
    Nov 11 2009, 06:07 AM
    Getting all things updated again is a con but positive thing is that you have clean system now for sure. To save from the trouble I recommend to create regular backup images of your system. I have good experience of Acronis True Image & Paragon Software Drive Backup.
    This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
    Invision Power Board © 2001-2010 Invision Power Services, Inc.