Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Browser redirected/hijacked

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Browser redirected/hijacked

Unread postby jmckay » August 24th, 2009, 7:39 pm

Browser is being redirected. Common HTTP 404 not found occurs. Also, have had My Computer Online scan pop up and I shut the computer "off"; I'm not sure if this all started with the kids using the computer shareware, but also had MVpro Virus which was subsequently removed with Malwarebytes (Also ran Defender, Adwaware, spybot) but problems still persist. When selecting a web site from the browser page it is directed to different ad websites...Hope you can assist-here is my hijackthis record:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:05 PM, on 8/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\browsercheck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0061019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LOCAL SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O15 - Trusted Zone: http://www.hotwire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://66.193.198.11/SysCamInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/h ... wiaaut.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1756862828
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://66.193.198.11:8084/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/po ... der_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 9963 bytes
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm
Advertisement
Register to Remove

Re: Browser redirected/hijacked

Unread postby km2357 » August 27th, 2009, 2:28 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 27th, 2009, 3:30 pm

KM2357;
Thank you sooo much, I know there ar multiple problems. I am going out of town this evening, but should be able to correspond tomorrow afternoon PST. Here is my Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:17 PM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\browsercheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0061019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LOCAL SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O15 - Trusted Zone: http://www.hotwire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://66.193.198.11/SysCamInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/h ... wiaaut.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1756862828
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://66.193.198.11:8084/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/po ... der_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 10766 bytes
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » August 28th, 2009, 1:32 am

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition

Download and install only one!


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 2: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click No.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.


In your next post/reply, I need to see the following:

1. The two DDS Logs (DDS and Attach.txt)
2. The GMER Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 28th, 2009, 6:06 pm

Hello; km...I do/did have virus program anti virus plus by paretologic installed last week and every time on computer it asks if I want to update. I did get a corrupt file notice and to run scan disk; However, I thought it could be trojan/virus activity and did not do this, I did uninstall and reinstalled-program worked first time, then again got a corrupt file notice...it seems several security run programs are getting "corrupted" so I am reluctant to run anything. Is it possible files have been moved and hidden? Furthermore, I did down load Avira antivir. Attached you will find DDS and Attach files as requested. I had problem running Gmer, with the initial run, answered no, then computer "appeared" to be completed...I did save at that point and posted as well. I did however, continue with ok and pressed scan, for which I was going to save that log, but the computer went to blue screen and froze saying problem caused by file aujanskj.sys
I will await further instructions.

DDS (Ver_09-07-30.01) - NTFSx86
Run by James Munden at 23:54:31.37 on Thu 08/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1403 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\OAFZZ6QX\dds[1].scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://red.clientapps.yahoo.com/customi ... ch/ie.html
uStart Page = hxxp://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
uWindow Title =
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/ ... channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: Fast Browser Search Toolbar: {1bb22d38-a411-4b13-a746-c2a4f4ec7344} - c:\program files\fast browser search\ie\FBStoolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: hotwire.com\www
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/200 ... oader5.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://66.193.198.11/SysCamInst.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/house ... hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan ... stubie.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} - hxxp://www.kodakgallery.com/downloads/h ... wiaaut.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 1756862828
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/B ... ofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/B ... ofupld.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://66.193.198.11:8084/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://l.yimg.com/jh/games/web_games/po ... der_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2006-11-06 21:23 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-01 16:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008060120080602\index.dat
2009-01-06 16:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010620090107\index.dat
2009-01-09 16:56 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010920090110\index.dat

============= FINISH: 23:56:10.54 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/24/2006 8:18:38 PM
System Uptime: 8/27/2009 11:32:37 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG855
Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 293 GiB total, 201.314 GiB free.
D: is CDROM (UDF)
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 8/22/2009 6:38:44 PM - Ad-Aware Checkpoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========


==== End Of File ===========================


GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit quick scan 2009-08-28 05:38:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 89BA31D8 ZwEnumerateKey
Code 89B7F8E8 ZwFlushInstructionCache
Code 89BA220E IofCallDriver
Code 89BA21D6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys (*** hidden *** ) [SYSTEM] SKYNETqrrvqvdy <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » August 29th, 2009, 12:29 am

Looking at your GMER Log, I'd like to get another scan from another Rootkit Scanner to gather more information from your computer.

Step # 1: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Step # 2 Download and run RootRepeal


We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open Image on your desktop.
  4. Click the Image tab.
  5. Click the Image button.
  6. Check all seven boxes: Image
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


In your next post/reply, I need to see the following:

1. Uninstall List
2. The RootRepeal Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 29th, 2009, 1:40 am

km; Here are the requested files....I received an error invalid PE image found when downloading from primary mirror for rootrepeal, I checked ok and downloaded anyway and ran program, it appeared to scan ok. At the end of the scan another rootrepeal error "find text file error 1392 (0x570)" appeared, again everything seemd to download so I saved file as requested.

Uninstall list:
¡En español! Level 1 Take-Home Tutor
530TX+
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
Advanced SystemCare 3
Age of Mythology Gold
AGEIA PhysX Engines
AIM Music Link 1.0.0.4
AIMTunes (remove only)
Andrea VoiceCenter
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Media Card Companion
ArcSoft MediaConverter
ArcSoft PhotoImpression 5
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control
Avira AntiVir Personal - Free Antivirus
Banctec Service Agreement
Bejeweled 2 Deluxe (remove only)
Bonjour
BroadJump Client Foundation
Browser Hijack Recover(BHR) 3.0
Buddy Icon Maker 1.0.0.1
CardRd81
CCScore
CEP - Color Enable Package
Colorizer 1.0.0.1
Conexant D850 56K V.9x DFVc Modem
Corel Photo Album 6
Coupon Printer for Windows
CR2
Creative Audio Pack
Creative MediaSource 5
Critical Update for Windows Media Player 11 (KB959772)
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.2
Digital Content Portal
Digital Line Detect
D-Link PCI Fast Ethernet Adapter
Documentation & Support Launcher
DV TS
EA Download Manager
EducateU
ELIcon
ESPNMotion
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
Eusing Free Registry Cleaner
Fast Browser Search (My Web Tattoo)
Free Internet Window Washer
Game Booster
Games, Music, & Photos Launcher
GameTap
GemMaster Mystic
Get High Speed Internet!
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hangar_of_Doom_PhysX
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hoyle Board Games 3
Hoyle Card Games 5
Hoyle Card Games Demo
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InstallMgr
Intel(R) PRO Network Connections Drivers
Intel(R) Quick Resume Technology Drivers
Intel® Matrix Storage Manager
Intel® Viiv™ Software
Internet Service Offers Launcher
IObit Security 360 RC
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Jewel Quest III (remove only)
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
Learn2 Player (Uninstall Only)
LimeWire 4.18.8
Malwarebytes' Anti-Malware
MediaFACE 4.2
MediaFACE 4.2 Image Library
Memorex exPressit Label Design Studio
Memorex exPressit Label Design Studio
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 97, Standard Edition
Microsoft Office Small Business Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Publishing Wizard 1.52
Microsoft Works
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
Modem Helper
MSN
MSN Toolbar
MSN Toolbar
MSN Toolbar Setup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
Musicmatch® Jukebox
Napster
Napster Burn Engine
netbrdg
NetWaiting
NVIDIA PhysX v8.06.12
Ofoto Print@Home ActiveX Control
OfotoXMI
Otto
Panda ActiveScan 2.0
ParetoLogic Anti-Virus PLUS
ParetoLogic Privacy Controls
PrintMaster 16
QuickTime
RealPlayer Basic
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Scratches
SearchAssist
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SFR
SFR2
SHASTA
Shockwave
SimCity™ Societies
skin0001
SKINXSDK
Smart Defrag 1.03
Sonic Activation Module
Sonic Advanced Decoder
Sonic Encoders
Sonic Update Manager
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
Sound Blaster Audigy ADVANCED MB Product Registration
Space Colony
SPORE™
Spybot - Search & Destroy
Star Wars Empire at War
Star Wars Knights of the Old Republic
staticcr
Super Bounce Out
Super Bounce Out!
The Rosetta Stone 2000
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
The Sims™ 3
TomTom HOME 2.6.4.1641
TomTom HOME Visual Studio Merge Modules
tooltips
TweakNow RegCleaner Standard
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
What's Running 2.2
Windows Defender
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WIRELESS
XoftSpySE
Yahoo! Anti-Spy
Yahoo! Install Manager
Yahoo! Search Protection
Zoo Tycoon 2

RootRepeal:

OOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/28 22:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9DD0D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETlkdwkmov.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys
Address: 0xA1E12000 Size: 151552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\SKYNETexilrmlk.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETltewpyna.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETpkvsdrud.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\SKYNETrgixuirq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\desktop.ini
Status: Locked to the Windows API!

Path: C:\Program Files\Yahoo! Games\Bejeweled 2 Deluxe\BEJEWE~1.EXE:{FCBE602D-5D99-2F77-EAF4-9239CD5315FE}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Jewel Quest III\JewelQuest3.exe:{EBF012E8-0754-6144-EF5E-37361535F09A}
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temp\wbemprox.log
Status: Locked to the Windows API!

Path: c:\documents and settings\james munden\local settings\temp\~df13f9.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\james munden\local settings\temp\~df978f.tmp
Status: Allocation size mismatch (API: 180224, Raw: 16384)

Path: c:\documents and settings\james munden\local settings\temp\~dfe6fd.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\blank[1].html
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\blank[2].html
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\blank[3].html
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\blank[4].html
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\blank[5].html
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\BlousePurple[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\Blush[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\Blush[2].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\bn_bar1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\bookmarkme[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\border-fullwidth-mid-red[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\-1_110_80[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\00082085-766183_100[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\082409_FamilyGuy2[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\1-0809_auto_nameyourprice_slider_flo_interactive_300x250[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10038_75_75[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10040_75_75[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10072_60_60[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10076_60_60[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10099_60_60[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10148_60_60[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10176[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10177[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\10183[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\partnersignup_banner_thumbnail_01[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\photo-page[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\pimstrip_22[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\pirates-mini-button[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\pixel[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\playVideoOverlay[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\play[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\point-here[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\populateFbCache[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\popupwithoverlay_wzym-x1l[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\pop[1].mp3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\pop_dialog_top_right[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\adfx[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CA28ZXWJ.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CA2TBU7Z.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CA2W8SIO.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CA3G4KJ6.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CA52BJ3O.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAAHR6OP.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CABMVHOQ.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CACAP481.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAEMI90Q.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAI45R44.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAMA56OU.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAQCOPEH.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CARBJO2E.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAULO9VE.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAVSYXDP.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31CAWMHREQ.txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ADSAdClient31[10].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\sm-print[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\small.4210471[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\small.4211370[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\SneakersBlackStripe[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\sob_logo[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\spacer[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\specialforces-mini-button[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\splashv2_zdtqhdce[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\spon-warrow[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\springflowers[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\sprite[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_saas_off[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_saas_on[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_spn_off[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_spn_on[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_tools_off[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ico_updatecenter_on[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-minCAQ5E0S0.css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[10].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[11].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[3].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[4].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\iestyle-min[5].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\send_action[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\shadow-bg-left[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\shadow-bottom-tile[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\sheep_03[1].mp3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\shoppingbadge-bronze-large[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ShortShagHairColor[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ShortSpikedHairColor[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\MaleEyes1[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\MaleRowdy[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\malwareblog[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\malwareremoval[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\marketDialog[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\masterpage_ayfkj-tt[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ma_mail_1[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\mbam-xp-antivirus[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\mbam[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\mediaselectorall_9hbvg6al[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\MediumShaggyHairBlack[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\HsWrmFlwr2[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\HsWrmGftGftBask[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\h_side_blogposts[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\i1000000[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\i2000000[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\i3000000[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\i4000000[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\i7000000[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\icon-cash[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\tutorials;kw=;tile=1;sz=300x250,336x280;ord=793866805590[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\tutorials_bottom;kw=;tile=2;sz=300x250,336x280;ord=2390421116653846[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\tutorials_bottom;kw=;tile=2;sz=300x250,336x280;ord=793866805590[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\twbkwbis[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\TwiTrivia728x90[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\twitter[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\t[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\t[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ultimate_game_card_btn[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\ul[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\inlinecomments_zjyexuhq[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\intel_icon[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\intl-flags[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\isf[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\jeffree-star-daniel-take-over--synd-msg-124044911486[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\jquery.min[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\jquery.min[2].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\jquery[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\js[1].axd
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\JS[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\juztinxcore--thumb-prf-1248637568[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\KNHTKHowOldFactorsGreenBotoxForYourHairPK15disc070609ah[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\KonaGet[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\l0u9mkwh[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\large_static1[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\570[3].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\570[4].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\5888_1066293632310_1675134539_131885_1407420_s[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\5wju7hxo[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\6002289487942_1_1a2d49e0[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\6002308661342_1_9f661500[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\6002312400776_1_11bdd445[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hijackthis-misc[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hijackthis-scan[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hijackthis-select[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hijackthis-start[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hjt-pm[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\homePoster_2[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\homePoster_3[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\homePoster_4[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\home_feed[1].xml
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\home_feed[2].xml
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\horse_02[1].mp3
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hp_1[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hp_48_kv[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\hr-grn[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\VipChair17[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\web_email[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\web_tab_corner_right[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\welcome[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\whbuttonc_2[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\windowsupdate_microsoft_com[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\windows_masthead_ltr[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\winpatro-lbanner[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\xp-antivirus-2008[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\icon_flower[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\icon_folderarrow[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\James Munden\Local Settings\Temporary Internet Files\Content.IE5\SIQERFBA\icon_idea[1].gif
Status: Invisible to Stealth Objects
-------------------
Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: winlogon.exe (PID: 988) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: services.exe (PID: 1036) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: lsass.exe (PID: 1048) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: Ati2evxx.exe (PID: 1316) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETrgixuirq.dll]
Process: svchost.exe (PID: 1344) Address: 0x008f0000 Size: 53248

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 1344) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 1452) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: MsMpEng.exe (PID: 1604) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 1644) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 1700) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 1964) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: AAWService.exe (PID: 2032) Address: 0x00d10000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: spoolsv.exe (PID: 384) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: sched.exe (PID: 496) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: Explorer.EXE (PID: 448) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: avguard.exe (PID: 540) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 640) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: MSASCui.exe (PID: 912) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: avgnt.exe (PID: 928) Address: 0x003f0000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: ctfmon.exe (PID: 948) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: GoogleToolbarNotifier.exe (PID: 952) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: AWC.exe (PID: 964) Address: 0x01230000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: iexplore.exe (PID: 1756) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: iexplore.exe (PID: 1940) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: CTsvcCDA.exe (PID: 2084) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: ehSched.exe (PID: 2144) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: Iaantmon.exe (PID: 2204) Address: 0x00690000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: IS360srv.exe (PID: 2284) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: jqs.exe (PID: 2392) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: MDM.EXE (PID: 2424) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: mstbsvc.exe (PID: 2476) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: HPZipm12.exe (PID: 2560) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: SeaPort.exe (PID: 2596) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 2732) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 2784) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: TomTomHOMEService.exe (PID: 2880) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: plasservice.exe (PID: 2948) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: Elservice.exe (PID: 2976) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: unsecapp.exe (PID: 3332) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: dllhost.exe (PID: 3400) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: wmiprvse.exe (PID: 3432) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: alg.exe (PID: 3924) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: svchost.exe (PID: 344) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: iexplore.exe (PID: 3468) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: AAWTray.exe (PID: 1548) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETltewpyna.dll]
Process: RootRepeal.exe (PID: 2720) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: SKYNETqrrvqvdy
Image Path: C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys

==EOF==

Thank you
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » August 29th, 2009, 1:13 pm

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 4.18.8

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HJT scan when finished and post the log back here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 29th, 2009, 1:41 pm

My kids downloaded the P2P, I was reluctant and should not have allowed it, now I have documentation as to why they should not use that program. Thanks-file deleted with pleasure!
here is the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:57 AM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Creative\MediaSource5\CtDetctu.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\browsercheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0061019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'LOCAL SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O15 - Trusted Zone: http://www.hotwire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://66.193.198.11/SysCamInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/h ... wiaaut.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1756862828
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://66.193.198.11:8084/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://l.yimg.com/jh/games/web_games/po ... der_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 11237 bytes
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » August 30th, 2009, 4:24 am

Since you have Avira now as your main Anti-Virus, you can go ahead and uninstall the ParetoLogic AV.

Go to Add/Remove Programs and uninstall the following:

ParetoLogic Anti-Virus PLUS

While you're in Add/Remove Programs, I'd like for you to uninstall the following as well:

Fast Browser Search (My Web Tattoo)

Once you've uninstalled both items, reboot your computer.


When the computer boots up again, perform the following step:


Step # 1: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please include C:\ComboFix.txt and a fresh HiJackThis Log in your next reply so we can continue cleaning the system.

Use multiple posts if you can't fit everything into one post.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 31st, 2009, 12:57 am

I ran Combofix and someone inadvertantly moved the mouse and it stopped at program 8 completed, I had to restart the computer and the computer went into scan disk mode and deleted some corrupt files and recovered some orphaned files.
I then restarted Combofix and the following report is what printed: (following that report I ran HijackThis and also have that posted)...During the first run of ComboFix I had 2 corrupt file reports ATTRIB.cfxxe WPDNSE and PEV.exe C:\$Mft...Also, prior to the first scan five files were listed and I was instructed to jot them down as they may be needed later. They were as follows:
1. C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys
2. C:\WINDOWS|system32\SKYNETrgxuirg.dll
3. C:\WINDOWS\system32\SKYNEpkvsdrud.dat
4. C:\WINDOWS\system32\SKYNETletwpyna.dll
5. C:\WINDOWS\system32\SKYNETexilrmlk.dat
There was no other mention of these files??

ComboFix 09-08-30.01 - James Munden 08/30/2009 21:26.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -7:00]
Running from: c:\documents and settings\James Munden\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\2fe91b.msp
c:\windows\Installer\6e92a.msi
c:\windows\kb913800.exe
c:\windows\system\SysSD.dll
c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-28 06:50 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-28 06:50 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-28 06:50 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-28 06:50 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-28 06:50 . 2009-08-28 06:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-28 06:50 . 2009-08-28 06:50 -------- d-----w- c:\program files\Avira
2009-08-26 21:58 . 2009-08-26 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-08-24 22:28 . 2009-08-24 22:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-24 21:55 . 2009-08-24 21:55 -------- d-----w- c:\program files\Windows Defender
2009-08-24 03:46 . 2009-08-24 03:46 -------- d-----w- c:\documents and settings\James Munden\Application Data\ParetoLogic
2009-08-24 03:45 . 2009-08-24 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-23 16:04 . 2009-08-24 21:47 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-23 16:04 . 2009-08-24 21:47 6341920 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-23 14:42 . 2009-08-30 15:29 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-08-23 14:42 . 2009-08-30 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-08-23 14:42 . 2009-08-23 14:42 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-08-23 04:20 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-23 04:20 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-23 04:19 . 2009-08-23 04:19 -------- dc-h--w- c:\windows\ie8
2009-08-23 03:50 . 2009-08-23 03:50 -------- d-----w- c:\program files\Browser Hijack Recover
2009-08-23 01:38 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-23 00:08 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-22 22:45 . 2009-08-22 22:45 -------- d-----w- c:\documents and settings\James Munden\Application Data\Reg Tool
2009-08-22 22:45 . 2009-08-22 22:50 -------- d-----w- c:\program files\Reg Tool
2009-08-21 22:37 . 2009-08-21 22:37 -------- d-----w- C:\_OTM
2009-08-18 00:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-15 05:07 . 2009-08-15 05:07 -------- d-----w- c:\documents and settings\James Munden\Application Data\Malwarebytes
2009-08-15 05:07 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-15 05:07 . 2009-08-15 05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 05:07 . 2009-08-15 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-15 05:07 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-15 00:43 . 2009-08-15 00:43 -------- d-----w- c:\program files\Microsoft
2009-08-15 00:40 . 2009-08-15 00:40 152576 ----a-w- c:\documents and settings\James Munden\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-15 00:24 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-15 00:24 . 2009-08-15 00:24 -------- d-----w- c:\program files\Panda Security
2009-08-14 23:29 . 2009-08-14 23:29 0 ----a-w- c:\windows\system32\cmpwrap.dat
2009-08-06 17:45 . 2009-08-07 13:51 -------- d-----w- c:\program files\NOS
2009-08-06 17:45 . 2009-08-07 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 17:36 . 2007-09-14 02:18 -------- d-----w- c:\program files\LimeWire
2009-08-28 22:03 . 2006-10-25 18:51 25778 ----a-w- c:\documents and settings\James Munden\Application Data\wklnhst.dat
2009-08-27 19:49 . 2007-09-14 02:18 -------- d-----w- c:\documents and settings\James Munden\Application Data\LimeWire
2009-08-26 21:58 . 2009-01-05 02:40 -------- d-----w- c:\program files\IObit
2009-08-24 21:47 . 2009-08-23 16:04 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-24 21:47 . 2009-08-23 16:04 86012 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-24 03:47 . 2006-10-19 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-08-23 04:22 . 2006-10-19 21:58 -------- d-----w- c:\program files\Google
2009-08-22 23:42 . 2006-12-12 03:28 -------- d-----w- c:\program files\Lavasoft
2009-08-22 23:42 . 2009-01-12 00:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-22 22:14 . 2007-08-10 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-19 23:23 . 2008-12-26 17:10 -------- d-----w- c:\documents and settings\James Munden\Application Data\SPORE
2009-08-18 04:33 . 2007-04-26 22:25 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-08-15 00:41 . 2006-10-19 21:42 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2009-01-12 05:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 03:07 . 2006-10-25 04:43 117792 -c--a-w- c:\documents and settings\James Munden\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 23:00 . 2008-05-25 16:28 -------- d-----w- c:\program files\Microsoft Games
2009-07-04 19:33 . 2009-07-04 19:33 -------- d-----w- c:\program files\TomTom International B.V
2009-07-04 19:32 . 2008-12-25 05:18 -------- d-----w- c:\program files\TomTom HOME 2
2009-07-03 17:09 . 2005-08-16 09:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 05:47 . 2007-07-03 03:02 -------- d-----w- c:\program files\Yahoo!
2009-06-25 08:25 . 2005-08-16 09:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 09:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 09:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 09:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-08-16 09:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 09:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 16:19 . 2005-08-16 09:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2005-08-16 09:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-08 16:25 . 2009-06-08 16:25 10134 ----a-r- c:\documents and settings\James Munden\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-04 18:12 . 2007-05-25 22:33 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-06-03 19:09 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2008-06-03 04:27 . 2008-06-03 04:26 6455296 --sha-w- c:\program files\ehthumbs.db
2006-11-07 04:23 . 2006-11-07 04:20 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-21 68856]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ehthumbs.db [2008-6-2 1536]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AGEIA Technologies\\Demos\\Hangar of Doom v1.2\\Binaries\\Unreal.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\GameHouse\\BounceOut\\BounceOut.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 1029456]
R2 SDMainSvc;SDMainSvc; [x]
R2 SDService;SDService; [x]
R3 athena;athena;c:\windows\system32\DRIVERS\athena.sys [2006-02-24 107392]
R3 SDActMon;SDActMon; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-07-03 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2009-08-21 305936]
S2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe [2009-02-10 104784]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-06-03 92008]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2008-05-14 120960]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customi ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: hotwire.com\www
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://66.193.198.11/SysCamInst.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP000000CD982F569007D4E678 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2741316596-2558630712-1779359092-1006\Software\SecuROM\License information*]
"datasecu"=hex:75,db,48,e2,8e,29,6e,2d,a0,6b,58,84,33,92,82,2a,be,81,9c,32,32,
88,28,ac,61,82,ce,38,e5,7f,81,95,fb,c6,4a,30,10,38,f4,21,b1,46,a6,58,c7,0d,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-08-31 21:47
ComboFix-quarantined-files.txt 2009-08-31 04:47

Pre-Run: 216,135,999,488 bytes free
Post-Run: 216,276,652,032 bytes free

243 --- E O F --- 2009-08-28 21:52

Hijack This:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:53 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\browsercheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0061019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.hotwire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://66.193.198.11/SysCamInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/h ... wiaaut.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1756862828
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://66.193.198.11:8084/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9256 bytes
Thanks....Again
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » August 31st, 2009, 1:32 am

Also, prior to the first scan five files were listed and I was instructed to jot them down as they may be needed later. They were as follows:
1. C:\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys
2. C:\WINDOWS|system32\SKYNETrgxuirg.dll
3. C:\WINDOWS\system32\SKYNEpkvsdrud.dat
4. C:\WINDOWS\system32\SKYNETletwpyna.dll
5. C:\WINDOWS\system32\SKYNETexilrmlk.dat
There was no other mention of these files??


It looks like these files were deleted during ComboFix's first run. To make sure, check on your computer for the log from the first ComboFix run. If it exists, it'll be named either ComboFix.txt or ComboFix1.txt. It'll be located either in the C:\ComboFix folder or the C:\Qoobox folder. If you find either ComboFix or ComboFix1.txt and you're not sure which log is which open them both and post the one that has those 5 files listed in the Other Deletions section. If you can't find it, let me know and we'll go ahead and move onto the next step.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » August 31st, 2009, 5:47 pm

I checked the combofix prior to last submission and there was nothing in that file...didn't know about the Qoo file-looks likle they are all there. Looks like they were quarantined.

here is what was in Qoobox file
2009-08-31 04:46:08 . 2009-08-31 04:46:08 355 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-SITEguard.reg.dat
2009-08-31 04:35:31 . 2009-08-31 04:35:31 9,286 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-08-31 03:18:18 . 2009-08-31 03:18:18 63,577 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_SKYNETlkdwkmov_.sys.zip
2009-08-31 03:18:01 . 2009-08-31 03:18:01 1,305 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_SKYNETqrrvqvdy.reg.dat
2009-08-31 03:08:57 . 2009-08-31 04:25:55 308 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-08-29 05:00:56 . 2009-08-29 05:00:56 91 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETexilrmlk.dat.vir
2009-08-22 23:42:35 . 2009-08-22 23:42:35 90 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat.vir
2009-08-22 23:42:35 . 2009-08-23 00:02:30 494 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat.vir
2009-08-22 23:42:35 . 2009-08-22 23:42:35 9 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan.vir
2009-08-22 23:42:35 . 2009-08-22 23:42:35 4,589 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par.vir
2009-08-22 23:42:35 . 2009-07-08 17:28:46 578,782 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib.vir
2009-08-22 23:42:35 . 2009-07-08 17:28:50 14,540,833 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res.vir
2009-08-22 23:42:35 . 2009-07-08 17:28:49 2,920,112 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe.vir
2009-08-22 23:42:35 . 2009-07-08 17:28:44 1,860,608 -c--a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi.vir
2009-08-11 03:29:24 . 2009-08-11 03:29:24 19,456 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETltewpyna.dll.vir
2009-08-11 03:29:13 . 2009-08-31 03:16:58 510,745 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETpkvsdrud.dat.vir
2009-08-11 03:29:13 . 2009-08-11 03:29:13 43,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETrgixuirq.dll.vir
2009-08-11 03:29:13 . 2009-08-31 03:18:18 68,608 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETlkdwkmov.sys.vir
2009-01-10 00:10:15 . 2009-01-10 00:10:15 10,736,640 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\6e92a.msi.vir
2008-03-25 00:01:49 . 2008-06-18 07:24:21 71,008 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\COUPON~1.OCX.vir
2008-02-02 03:27:46 . 2009-03-30 23:27:51 123 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system\SysSD.dll.vir
2007-05-29 22:41:48 . 2007-05-29 22:41:48 16,549,888 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\Installer\2fe91b.msp.vir
2006-10-25 08:08:18 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
2006-10-25 04:53:19 . 2006-10-25 04:53:19 898 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\HP Image Zone .lnk.vir
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm

Re: Browser redirected/hijacked

Unread postby km2357 » September 1st, 2009, 1:28 am

I see the SKYNET files listed among those you posted, meaning that ComboFix took care of them. Let's continue. :)

When running ComboFix this time, make sure that no one touches the mouse or the computer itself until ComboFix has finished.


Step # 1: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    Folder::
    
    c:\documents and settings\James Munden\Application Data\LimeWire



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on jmckay's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh HiJackThis Log taken after Step 1 has been completed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Browser redirected/hijacked

Unread postby jmckay » September 1st, 2009, 7:36 pm

Hi km; I ran the combofix with CFScript and ran ok, until rebooted at log preparing to report and do not start any programs until finished appeared; Unfortunately, Adaware, and the Avira Virus program loaded on bootup, and I believe this stalled the program...I went to combofix file and found a little saved text file-which I have attached-If there is log data somewhere else, let me know, (I did notice there are numerous files present in the combofix file when the file was empty before). I did not want to start another CF/combofix without checking first. Here is what I have;

ComboFix 09-08-30.01 - James Munden 09/01/2009 15:02:27.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1546 [GMT -7:00]
Running from: C:\Documents and Settings\James Munden\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\James Munden\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:33 PM, on 9/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSN\Toolbar\3.0.1125.0\mstbsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\browsercheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc450.mail.yahoo.com/mc/welco ... p7b4is6r3n
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0061019
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.hotwire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://66.193.198.11/SysCamInst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {42C9E5EE-DA49-49B4-8ECC-1CAB1C51A2AB} (HomePrintingCtrl Class) - http://www.kodakgallery.com/downloads/h ... wiaaut.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss ... gctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1756862828
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://66.193.198.11:8084/bl_camera.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9654 bytes
jmckay
Active Member
 
Posts: 14
Joined: August 24th, 2009, 7:22 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 330 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware