Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE & Firefox go to wrong site from links after search

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 2nd, 2009, 7:20 pm

When running a search engine (I have used Yahoo and Google) and following one of the links that is returned, often the browser goes to a page that I didn't request. Often this page appears to be another search engine, but I can't confirm since I shut the browser down before clicking on anything. Sometimes, I get to the desired page, but not often. I can still type URL's directly into the address bar and get to the right page, and all of my favorites/bookmarks seem to work fine. I ran into a "System Security" malware item a month or so ago (it dropped a shield icon in my system tray that I couldn't remove by right-clicking, and it popped up all kinds of offers to purchase anti-virus and anti-spyware software). I ran Malwarebytes and it seemed to go away (or maybe it didn't... ?)


Here is the Hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:05 PM, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cactus Spam Filter 2.13\cactusspamfilter.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CD Anywhere Launcher] "C:\Program Files\CDAnywhere_Free\insdrive.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [com.codeode.cactusspamfilter] "C:\Program Files\Cactus Spam Filter 2.13\cactusspamfilter.exe" -minimized
O4 - HKCU\..\Run: [Glary Memory Optimizer] "C:\Program Files\Glary Utilities\memdefrag.exe" /autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4463 bytes



Lots of the entries look reasonable relative to things I have installed, but not all of them. Any help would be appreciated.


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm
Advertisement
Register to Remove

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 5th, 2009, 12:17 pm

Hi opticswalt

Download gmer.zip and save to your desktop.
alternate download site
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 5th, 2009, 5:21 pm

Thanks for helping!

I downloaded and unzipped gmer.exe into its own folder. I disconnected from the internet by disabling my LAN connection through Control Panel, and then I ran gmer.exe. I got to the main screen, but before I could do anything, my screen went blank (black) and I had to cycle power before I could restart. I tried about 5 or 6 times with the same behavior.

I tried to start Windows in Safe Mode, but was unsuccessful. When I tried, I saw a bunch of lines that looked like (xxx is a driver name that is different on each line):

Multi(0)Disk(0)Rdisk(0)Partition(2)\WINDOWS\drivers\xxx.sys
Multi(0)Disk(0)Rdisk(0)Partition(2)\WINDOWS\drivers\xxx.sys
Multi(0)Disk(0)Rdisk(0)Partition(2)\WINDOWS\drivers\xxx.sys
Multi(0)Disk(0)Rdisk(0)Partition(2)\WINDOWS\drivers\xxx.sys

... perhaps 30-40 of them. At the end, I got a prompt

Press ESC to cancel loading SPTD.SYS


It doesn't matter whether or not I press ESC, the system restarts about 15 seconds after the prompt comes up.


When I got back into Windows (not SAFE mode), my desktop wallpaper was replaced by a white background and a bunch of text talking about Active Desktop Recovery. As far as I know, I haven't been using Active Desktop -- just a jpeg wallpaper.

Since I can't seem to run gmer or get into SAFE MODE, I'm not sure what to do next...


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 6th, 2009, 5:03 am

Please choose Last Known Good Configuration from boot menu and let me know if it helped.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 6th, 2009, 4:51 pm

I selected "Last Known Good Configuration" from the boot menu, and the machine took a long time to start up (maybe 5 minutes, which is about 4x as long as it normally takes). When it finished, I had a desktop with my original wallpaper, but no icons. I hit ctrl-r and ran explorer, and the icons came back. I ran gmer but the system shut-down again. Subsequent tries were better (startup speed as expected, didn't have to run explorer from ctrl-r), but gmer still won't run.

I should note that when the system shuts down, it isn't graceful -- gmer starts listing files at the bottom of the screen and then suddenly the screen goes black and the tower queits down (fans and drives stop spinning).


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 7th, 2009, 12:17 am

So then we continue with this:

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 7th, 2009, 12:33 am

One more update before I run ComboFix. It appears that I no longer have access to Windows Explorer. I start up the computer, but get no icons on the desktop (no trays or START menu either). I can get task manager up with ctrl-alt-delete, but when I try and get it to run explorer, it tells me I that I don't have permissions. I couldn't get IE to run either. The only thing I could think of was to run MSCONFIG and do a diagnostic startup. When I did so, I was able to get to gmer and run it (I still couldn't run explorer).

Here's what gmer came up with:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-06 23:57:58
Windows 5.1.2600 Service Pack 3

.text ...

---- System - GMER 1.0.15 ----

Code 8A37D756 IofCompleteRequest
Code 8A50C930 ZwEnumerateKey
Code 8A556AB6 IofCallDriver
Code 8A6743B8 ZwFlushInstructionCache

---- Devices - GMER 1.0.15 ----

Device \Driver\Cdrom \Device\CdRom0 8A7450E8
Device \Driver\Cdrom \Device\CdRom1 8A7450E8
Device \Driver\Ftdisk \Device\FtControl 8A9880E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9880E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9880E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9880E8
Device \Driver\NetBT \Device\NetbiosSmb 8A348798
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A009F0B-39E0-4109-A500-C91FAAD19D8D} 8A348798
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A348798
Device \Driver\Tcpip \Device\Ip socketlock.sys
Device \Driver\Tcpip \Device\IPMULTICAST socketlock.sys
Device \Driver\Tcpip \Device\RawIp socketlock.sys
Device \Driver\Tcpip \Device\Tcp socketlock.sys
Device \Driver\Tcpip \Device\Udp socketlock.sys
Device \Driver\USBSTOR \Device\00000074 8A3470E8
Device \Driver\USBSTOR \Device\00000079 8A3470E8
Device \Driver\USBSTOR \Device\0000007a 8A3470E8
Device \Driver\USBSTOR \Device\00000083 8A3470E8
Device \FileSystem\Cdfs \Cdfs 8A2A10E8
Device \FileSystem\Fastfat \Fat 8A699CB8
Device \FileSystem\Fastfat \FatCdrom 8A699CB8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A342748
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A342748
Device \FileSystem\Msfs \Device\Mailslot 8A37CBA8
Device \FileSystem\Npfs \Device\NamedPipe 8A55DA30
Device \FileSystem\Ntfs \Ntfs 8A988A40
Device \FileSystem\Rdbss \Device\FsWrap 8A2FDD10
Device \FileSystem\Udfs \UdfsCdRom 8A69DA90
Device \FileSystem\Udfs \UdfsDisk 8A69DA90

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7529C82] sptd.sys
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7507020] sptd.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT \WINDOWS\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7519F78] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7507B6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7507A32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7507AF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75086CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75085A2] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7514E06] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETyqjowxvi.sys (*** hidden *** ) [SYSTEM] SKYNETypuhymyx <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD5357.SYS The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\lsass.exe[848] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\services.exe[836] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\system32\taskmgr.exe[1676] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\winlogon.exe[784] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0068000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet001\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet002\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet006\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet007\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet008\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\ControlSet010\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx@imagepath \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules@SKYNET.dat \systemroot\system32\SKYNETqvscdjol.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules@SKYNETcmd.dll \systemroot\system32\SKYNETtuirrxiq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules@SKYNETlog.dat \systemroot\system32\SKYNETqltcryex.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETyqjowxvi.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETypuhymyx\modules@SKYNETwsp.dll \systemroot\system32\SKYNETwnohunkd.dll

---- Kernel code sections - GMER 1.0.15 ----

.text ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A556ABB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A37D75B
PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8A50C934
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A6743BC

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7514F6E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A71E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7514DB2] sptd.sys

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\SKYNETyqjowxvi.sys 68096 bytes <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETqltcryex.dat 289026 bytes
File C:\WINDOWS\system32\SKYNETqvscdjol.dat 43 bytes
File C:\WINDOWS\system32\SKYNETtuirrxiq.dll 43520 bytes
File C:\WINDOWS\system32\SKYNETwnohunkd.dll 19456 bytes

---- EOF - GMER 1.0.15 ----



I'll download Combofix, but I won't run it unless you tell me to (after looking at the gmer log).
Sorry for doing things out of order, but I had lost access to IE and the internet.


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 7th, 2009, 1:36 am

Yes please download and run combofix, you have rootkit which needs to be removed.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 7th, 2009, 8:10 pm

Still having difficulties since I can't run windows explorer. I ended up using msconfig to remove my virus software from the startup. Unfortunately, there were lots of things checked in the startup tab that I know I disabled months (if not years) ago, so something has been altering the startup files.

I was able to run combofix and hijack this. Here are the logs:

COMBOFIX:

ComboFix 09-09-06.06 - Owner 09/07/2009 13:08.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1008 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\93862496.ini
c:\recycler\NPROTECT
c:\windows\_id_rgvs.reg
c:\windows\Installer\2b115a.msi
c:\windows\Installer\2f14b.msp
c:\windows\Installer\32bf76e.msp
c:\windows\system32\drivers\SKYNETyqjowxvi.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\ps2.bat
c:\windows\system32\SKYNETqltcryex.dat
c:\windows\system32\SKYNETqvscdjol.dat
c:\windows\system32\SKYNETtuirrxiq.dll
c:\windows\system32\SKYNETwnohunkd.dll
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETypuhymyx
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_SKYNETypuhymyx


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-02 02:25 . 2009-09-02 02:25 -------- d-----w- c:\program files\Trend Micro
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-08-24 03:22 . 2009-08-24 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Red Kawa
2009-08-24 00:18 . 2009-08-24 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-08-24 00:17 . 2009-08-24 00:17 -------- d-----w- c:\program files\Virtools
2009-08-23 03:43 . 2009-08-23 04:17 -------- d-----w- c:\program files\Electronic Arts
2009-08-22 05:04 . 2009-08-22 05:04 -------- d-----w- C:\temp
2009-08-22 02:48 . 2009-08-22 02:49 -------- d-----w- C:\mbam
2009-08-22 02:41 . 2009-08-22 02:41 687104 ----a-w- c:\windows\is-6VCM9.exe
2009-08-22 02:40 . 2009-08-12 00:05 3942048 ----a-w- C:\mbam.exe
2009-08-22 00:33 . 2009-08-22 00:33 0 ----a-w- c:\windows\system32\cmpwrap.dat
2009-08-12 03:56 . 2008-04-13 16:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2009-08-12 03:56 . 2008-04-13 16:39 142592 ----a-w- c:\windows\system32\drivers\aec.sys
2009-08-11 23:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 04:45 . 2002-11-14 06:42 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-05 14:28 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-09-05 14:27 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\CameraWindowDC
2009-08-24 04:11 . 2002-10-29 21:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-22 03:53 . 2005-09-30 21:43 -------- d-----w- c:\program files\The Learning Company
2009-08-22 03:49 . 2007-12-29 01:21 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-22 03:23 . 2008-03-11 03:07 -------- d-----w- c:\program files\Canon
2009-08-22 02:44 . 2009-01-19 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 02:39 . 2004-08-01 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 02:34 . 2009-04-13 02:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Video Converter
2009-08-09 18:17 . 2008-01-05 17:47 -------- d-----w- c:\program files\Red Kawa
2009-08-08 14:00 . 2004-08-01 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 04:37 . 2008-09-12 03:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-05 09:01 . 2002-11-14 06:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:35 . 2009-08-05 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-03 17:36 . 2009-01-19 00:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-19 00:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iTunes
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iPod
2009-07-31 03:10 . 2009-07-31 03:10 -------- d-----w- c:\program files\QuickTime
2009-07-31 03:03 . 2003-04-26 18:15 55544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 17:47 . 2009-07-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Common Files\Pinnacle
2009-07-17 19:01 . 2002-11-14 06:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-11-14 06:41 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2002-11-14 06:42 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-11-14 06:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2002-10-29 19:19 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2002-11-14 06:41 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2002-11-14 06:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2008-10-05 02:02 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-02-13 03:12 . 2008-02-13 03:12 2 --shatr- c:\windows\winstart.bat
2003-04-19 02:27 . 2003-04-19 02:27 0 -csha-w- c:\windows\SMINST\HPCD.sys
2009-01-17 20:10 . 2009-01-17 20:10 120 --sh--w- c:\windows\system32\htnnlufs.tmp
.

------- Sigcheck -------

[-] !HASH: COULD NOT OPEN FILE !!!!! [------] c:\windows\explorer.exe
[-] 7712DF0CDDE3A5AC89843E61CD5B3658 [6.00.2900.3156 (xpsp_sp2_qfe.070613-1311)] c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 12896823FB95BFB3DC9B46BCAEDC9923 [6.00.2900.5512 (xpsp.080413-2105)] c:\windows\ServicePackFiles\i386\explorer.exe


c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled]
backup=c:\windows\pss\Kodak software updater.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlockTracker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Desktop Messenger
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wdskctl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"msCMTSrvc"=3 (0x3)
"CVPND"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNMPTRAP"=3 (0x3)
"SNMP"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PlugPlay"=2 (0x2)
"NwSapAgent"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LPDSVC"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"msupdate"=msupdate.exe
"USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [4/30/2001 4:51 AM 4512]
R2 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\avsynmgr.exe [11/26/2001 4:51 PM 155665]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [11/14/2002 2:07 AM 14336]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [1/9/2005 11:19 PM 3712]
R2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [4/3/2004 2:52 PM 54272]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys --> c:\windows\system32\Drivers\LBeepKE.sys [?]
S2 mrtRate;mrtRate; [x]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/31/2009 2:23 PM 18560]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\naifiltr.sys [11/26/2001 4:51 PM 23856]
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.msn.com
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: itt.com\etime4
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8vdkep7k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.roadrunner.com/index.cfm
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 13:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,69,c4,66,eb,ba,ee,3e,04,4e,b5,ad,97,b3,54,63,81,11,04,78,a8,88,90,
eb,32,31,c0,b4,ea,36,11,7d,11,04,88,8e,9d,75,7f,f2,a9,24,96,f3,7e,45,e6,21,\
"??"=hex:3e,50,b9,cf,0e,7f,91,5f,56,fa,64,5a,48,be,8b,c8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,aa,91,5e,c5,eb,
b3,48,88,c8,28,51,af,b0,29,a3,98,52,a3,e8,fc,1b,6b,2d,32,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,dc,2a,d2,76,64,
48,0d,ec,71,3b,04,66,8b,46,0d,96,8d,b2,cd,b8,a0,fb,8e,14,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,c6,4b,4e,85,43,
7a,5f,bf,25,da,ec,7e,55,20,c9,26,dc,1b,7b,88,75,fa,f0,ad,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,f2,7a,56,03,8c,
62,7d,94,3e,1e,9e,e0,57,5a,93,61,91,05,85,0b,83,a4,58,a9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,87,25,11,cb,b4,
fe,fc,a7,cd,44,cd,b9,a6,33,6c,cd,04,b6,f2,6d,7e,c1,6b,3f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,3a,e6,d8,dd,5d,
90,be,29,b0,18,ed,a7,3f,8d,37,a4,8f,92,a9,c5,7e,5f,4c,4b,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,e1,be,82,77,71,
82,7e,ba,31,77,e1,ba,b1,f8,68,02,01,d9,44,e4,ea,53,95,24,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,f7,02,45,25,f1,
ba,98,67,83,6c,56,8b,a0,85,96,ab,bf,af,68,2f,f8,22,ca,8f,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,61,78,31,f8,25,
cd,44,c2,51,fa,6e,91,28,9e,14,cc,9a,6d,ab,73,f9,25,be,33,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,0d,b6,ab,07,36,
47,ef,0a,b1,cd,45,5a,a8,c4,f8,b9,95,5c,90,4b,a6,d2,36,7d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,6d,94,17,e5,31,
55,4e,f6,e3,0e,66,d5,eb,bc,2f,6b,6f,5a,d7,db,b4,45,23,5a,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,26,12,9b,0c,93,
58,07,a5,fa,ea,66,7f,d4,3b,6b,70,45,51,75,56,5d,da,98,f9,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-07 13:16
ComboFix-quarantined-files.txt 2009-09-07 17:15
ComboFix2.txt 2009-01-20 04:03

Pre-Run: 39,952,023,552 bytes free
Post-Run: 39,906,873,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
415 --- E O F --- 2009-09-02 02:00



HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:00 PM, on 9/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3406 bytes



-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 8th, 2009, 12:04 am

Yes there appears to be problem with explorer.exe.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    FCopy::
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 8th, 2009, 8:40 pm

I don't have any icons visible on my desktop. (Nor do I have a START meu or systray). I basically have a command line available from Task Manager under File\New Task (Run...). Is there a command line eqivalent to the operation of dragging the CFscript.txt icon onto the ComboFix icon? I have the script saved in my c: root directory -- can I execute something like combofix.exe < CFscript.txt?


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 8th, 2009, 9:58 pm

Please disregard my last post. I was able to run explorer.exe from the folder at c:\windows\ServicePackFiles\i386\ and I got my desktop and start menu back (at least for now). I created the script file and dragged it onto ComboFix.exe and got the following log.



ComboFix 09-09-08.05 - Owner 09/08/2009 21:39.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1107 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-02 02:25 . 2009-09-02 02:25 -------- d-----w- c:\program files\Trend Micro
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\documents and settings\Owner\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-08-24 03:22 . 2009-08-24 03:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Red Kawa
2009-08-24 00:18 . 2009-08-24 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\3DVIA
2009-08-24 00:17 . 2009-08-24 00:17 -------- d-----w- c:\program files\Virtools
2009-08-23 03:43 . 2009-08-23 04:17 -------- d-----w- c:\program files\Electronic Arts
2009-08-22 05:04 . 2009-08-22 05:04 -------- d-----w- C:\temp
2009-08-22 02:48 . 2009-08-22 02:49 -------- d-----w- C:\mbam
2009-08-22 02:41 . 2009-08-22 02:41 687104 ----a-w- c:\windows\is-6VCM9.exe
2009-08-22 02:40 . 2009-08-12 00:05 3942048 ----a-w- C:\mbam.exe
2009-08-22 00:33 . 2009-08-22 00:33 0 ----a-w- c:\windows\system32\cmpwrap.dat
2009-08-12 03:56 . 2008-04-13 16:39 142592 -c--a-w- c:\windows\system32\dllcache\aec.sys
2009-08-12 03:56 . 2008-04-13 16:39 142592 ------w- c:\windows\system32\drivers\aec.sys
2009-08-11 23:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 04:45 . 2002-11-14 06:42 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-05 14:28 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\ZoomBrowser EX
2009-09-05 14:27 . 2008-04-19 18:33 -------- d-----w- c:\documents and settings\Owner\Application Data\CameraWindowDC
2009-08-24 04:11 . 2002-10-29 21:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-22 03:53 . 2005-09-30 21:43 -------- d-----w- c:\program files\The Learning Company
2009-08-22 03:49 . 2007-12-29 01:21 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2009-08-22 03:32 . 2009-02-06 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-22 03:23 . 2008-03-11 03:07 -------- d-----w- c:\program files\Canon
2009-08-22 02:44 . 2009-01-19 00:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 02:39 . 2004-08-01 01:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 02:34 . 2009-04-13 02:00 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Video Converter
2009-08-09 18:17 . 2008-01-05 17:47 -------- d-----w- c:\program files\Red Kawa
2009-08-08 14:00 . 2004-08-01 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 04:37 . 2008-09-12 03:18 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-05 09:01 . 2002-11-14 06:07 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 04:35 . 2009-08-05 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-08-03 17:36 . 2009-01-19 00:48 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-01-19 00:48 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iTunes
2009-07-31 03:13 . 2009-07-31 03:13 -------- d-----w- c:\program files\iPod
2009-07-31 03:10 . 2009-07-31 03:10 -------- d-----w- c:\program files\QuickTime
2009-07-31 03:03 . 2003-04-26 18:15 55544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-19 17:47 . 2009-07-19 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Pinnacle
2009-07-19 17:46 . 2009-07-19 17:46 -------- d-----w- c:\program files\Common Files\Pinnacle
2009-07-17 19:01 . 2002-11-14 06:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-11-14 06:41 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2002-11-14 06:42 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-11-14 06:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2002-10-29 19:19 76288 ----a-w- c:\windows\system32\telnet.exe
2008-02-13 03:12 . 2008-02-13 03:12 2 --shatr- c:\windows\winstart.bat
2003-04-19 02:27 . 2003-04-19 02:27 0 -csha-w- c:\windows\SMINST\HPCD.sys
2009-01-17 20:10 . 2009-01-17 20:10 120 --sh--w- c:\windows\system32\htnnlufs.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-07_17.12.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 23:45 . 2009-09-08 23:45 16384 c:\windows\Temp\Perflib_Perfdata_490.dat
+ 2002-11-14 06:42 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\explorer.exe
+ 2007-06-13 11:26 . 2008-04-14 00:12 1033728 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk.disabled]
backup=c:\windows\pss\Adobe Gamma Loader.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled]
backup=c:\windows\pss\Kodak software updater.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ScsiAccess"=2 (0x2)
"msCMTSrvc"=3 (0x3)
"CVPND"=2 (0x2)
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"UMWdf"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"SNMPTRAP"=3 (0x3)
"SNMP"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PlugPlay"=2 (0x2)
"NwSapAgent"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"McShield"=3 (0x3)
"LPDSVC"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=2 (0x2)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"Logitech Hardware Abstraction Layer"=KHALMNPR.EXE
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"msupdate"=msupdate.exe
"USB2Check"=RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth (tm) II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [4/30/2001 4:51 AM 4512]
R2 AvSynMgr;AVSync Manager;c:\program files\Network Associates\VirusScan\avsynmgr.exe [11/26/2001 4:51 PM 155665]
R2 NwSapAgent;SAP Agent;c:\windows\System32\svchost.exe -k netsvcs [11/14/2002 2:07 AM 14336]
R2 SocketLock;Raw Socket Lock Driver;c:\windows\system32\socketlock.sys [1/9/2005 11:19 PM 3712]
R2 SSIPDDP;SSIPDDP;c:\windows\system32\drivers\ssipddp.sys [4/3/2004 2:52 PM 54272]
S2 LBeepKE;LBeepKE;c:\windows\system32\Drivers\LBeepKE.sys --> c:\windows\system32\Drivers\LBeepKE.sys [?]
S2 mrtRate;mrtRate; [x]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [1/31/2009 2:23 PM 18560]
S3 NaiFiltr;NaiFiltr;c:\program files\Common Files\Network Associates\McShield\naifiltr.sys [11/26/2001 4:51 PM 23856]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.msn.com
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: itt.com\etime4
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\8vdkep7k.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.roadrunner.com/index.cfm
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1400307210-653112703-2053677248-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e4,69,c4,66,eb,ba,ee,3e,04,4e,b5,ad,97,b3,54,63,81,11,04,78,a8,88,90,
eb,32,31,c0,b4,ea,36,11,7d,11,04,88,8e,9d,75,7f,f2,a9,24,96,f3,7e,45,e6,21,\
"??"=hex:3e,50,b9,cf,0e,7f,91,5f,56,fa,64,5a,48,be,8b,c8

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,aa,91,5e,c5,eb,
b3,48,88,c8,28,51,af,b0,29,a3,98,52,a3,e8,fc,1b,6b,2d,32,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,dc,2a,d2,76,64,
48,0d,ec,71,3b,04,66,8b,46,0d,96,8d,b2,cd,b8,a0,fb,8e,14,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,c6,4b,4e,85,43,
7a,5f,bf,25,da,ec,7e,55,20,c9,26,dc,1b,7b,88,75,fa,f0,ad,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,f2,7a,56,03,8c,
62,7d,94,3e,1e,9e,e0,57,5a,93,61,91,05,85,0b,83,a4,58,a9,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,87,25,11,cb,b4,
fe,fc,a7,cd,44,cd,b9,a6,33,6c,cd,04,b6,f2,6d,7e,c1,6b,3f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,3a,e6,d8,dd,5d,
90,be,29,b0,18,ed,a7,3f,8d,37,a4,8f,92,a9,c5,7e,5f,4c,4b,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,e1,be,82,77,71,
82,7e,ba,31,77,e1,ba,b1,f8,68,02,01,d9,44,e4,ea,53,95,24,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,f7,02,45,25,f1,
ba,98,67,83,6c,56,8b,a0,85,96,ab,bf,af,68,2f,f8,22,ca,8f,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,61,78,31,f8,25,
cd,44,c2,51,fa,6e,91,28,9e,14,cc,9a,6d,ab,73,f9,25,be,33,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,0d,b6,ab,07,36,
47,ef,0a,b1,cd,45,5a,a8,c4,f8,b9,95,5c,90,4b,a6,d2,36,7d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,6d,94,17,e5,31,
55,4e,f6,e3,0e,66,d5,eb,bc,2f,6b,6f,5a,d7,db,b4,45,23,5a,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,26,12,9b,0c,93,
58,07,a5,fa,ea,66,7f,d4,3b,6b,70,45,51,75,56,5d,da,98,f9,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-09 21:51
ComboFix-quarantined-files.txt 2009-09-09 01:50
ComboFix2.txt 2009-09-07 17:16
ComboFix3.txt 2009-01-20 04:03

Pre-Run: 39,900,008,448 bytes free
Post-Run: 39,852,171,264 bytes free

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
353 --- E O F --- 2009-09-02 02:00


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 9th, 2009, 12:12 am

Good :)

Does explorer.exe start now?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: IE & Firefox go to wrong site from links after search

Unread postby opticswalt » September 9th, 2009, 7:30 am

I now have my old desktop back and explorer seems functional. I get a couple of warnings when I start up:

1. "Error loading NvQTwk; the specified file could not be found"
2. I get a dialog box from the System Configuration Utility (MSCONFIG) saying that some changes have been made. I'm sure this is a leftover from my tinkering to the startup menu
3. I get a warning from "Windows Security Alerts" in the system tray (a red shield icon with a white 'x' in it). It says "Your computer might be at risk. McAfee virus scan is turned off. Click this balloon to fix this problem." I cliked the McAfee shield icon in the tray and turned everything on, but I still have the red shield in the tray.


What's next?


-- Opticswalt
opticswalt
Regular Member
 
Posts: 15
Joined: September 2nd, 2009, 7:08 pm

Re: IE & Firefox go to wrong site from links after search

Unread postby Shaba » September 9th, 2009, 10:49 am

1. Is like due to this entry:

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

We will fix it later.

2. Yes as you have used msconfig to disable startup items. That is not preferable way.

3. Then you might need to reinstall McAfee.

Anyway, we will continue with this:

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 496 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware