Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

BROWSER BEING HIJACKED

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

BROWSER BEING HIJACKED

Unread postby mikeg » January 9th, 2010, 3:22 pm

New tabs are automatically launched when I am browsing. The following sites are among those that appear:
hxxp://www.big-think.info/misc/auto-ins ... nline.html
hxxp://sluttyred.com
hxxp://www.supernovva.com
hxxp://www.supernovva.com/misc/hottest-stocks.html
hxxp://www.bestfonts4u.com/misc/making- ... e-you.html
hxxp://www.hardcoredumper.com
hxxp://www.big-think.info/misc/auto-ins ... nline.html
i have never visited any of these sites.
Spybot, Avast and Ad-Aware have not detected anything.


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 07:58:10 PM, on 09/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [antike] wingate32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [antike] wingate32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [antike] wingate32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [antike] wingate32.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {52A2AAAE-085D-4187-97EA-8C30DB990436} - http://localhost/iishelp/common/i386.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4409073363
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-be ... canner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DD7241B-EA9F-40EA-B902-5D2B7C323AFE}: NameServer = 196.207.36.251 196.207.36.254
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6892 bytes

Uninstall List
7-Zip 4.65
Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AML Free Registry Cleaner 4.19
AutoRun Wizard
avast! Antivirus
eDATA Unerase
EPSON Printer Software
ESET Online Scanner v3
Google Update Helper
HiJackThis
HTML Help Workshop
IcoFX 1.6.4
Intel(R) Extreme Graphics Driver
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
MSDN Library - July 2005 DVD
MTN F@stLink HSDPA Modem
PrimoPDF
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
SiteMap Generator 0.941 (beta)
SoundMAX
Spybot - Search & Destroy
The Holy Bible KJV Ver.8
The Oxford Interactive Encyclopedia
TOSHIBA Console
TOSHIBA Utilities
VeryPDF PDF2Word v3.0
VideoLAN VLC media player 0.8.6c
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows XP Service Pack 2
WinHTTrack Website Copier 3.42-2
WinRAR archiver
Last edited by jmw3 on January 14th, 2010, 5:37 pm, edited 1 time in total.
Reason: Edit Links
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm
Advertisement
Register to Remove

Re: BROWSER BEING HIJACKED

Unread postby MWR 3 day Mod » January 14th, 2010, 1:41 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 14th, 2010, 3:28 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh HiJackThis Log and a fresh Uninstall List
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 16th, 2010, 3:36 pm

Since my first post I have uninstalled Spybot search and destroy. My browser is not being hijacked any more since then BUT it takes about 5 to 10mins to open a page and the whole system is going at a snails pace. Below are the logs requested. Over to you....

Logfile of random's system information tool 1.06 (written by random/random)
Run by Mike at 2010-01-16 20:59:51
Microsoft Windows XP Professional Service Pack 2
System drive C: has 9 GB (30%) free of 28 GB
Total RAM: 239 MB (14% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:01:54 PM, on 16/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Samsung\Samsung New PC Studio\NewPCStudio.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSToolboxAdd.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSStageSync.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAlarm.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSDM.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSCM.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSNotifyClient.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSPhonebook.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSInternetConnector.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSSIMEditor.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Documents and Settings\Mike\Desktop\RSIT.exe
C:\Program Files\trend micro\Mike.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [antike] wingate32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [antike] wingate32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKUS\S-1-5-18\..\Run: [antike] wingate32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [antike] wingate32.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {52A2AAAE-085D-4187-97EA-8C30DB990436} - http://localhost/iishelp/common/i386.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4409073363
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-be ... canner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DD7241B-EA9F-40EA-B902-5D2B7C323AFE}: NameServer = 196.207.36.251 196.207.36.254
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7088 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{FAA3E277-FA74-4F65-944C-329623AFD6C2}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
Locked

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"PmProxy"=C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe [2003-02-28 40960]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2003-04-06 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2003-04-06 114688]
"antike"=wingate32.exe []
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"NPSStartup"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"AutoStartNPSAgent"=C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe [2008-12-13 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C42 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE [2002-02-19 74240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C42 Series (Copy 1)]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE [2002-02-19 74240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
[]

C:\Documents and Settings\Mike\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
OneNote Table Of Contents.onetoc2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-04-06 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\MTN F@stLink HSDPA Modem\MTN F@stLink HSDPA Modem.exe"="C:\Program Files\MTN F@stLink HSDPA Modem\MTN F@stLink HSDPA Modem.exe:*:Enabled:MTN F@stLink HSDPA Modem"
"C:\Program Files\Fortinet\FortiClient\FortiProxy.exe"="C:\Program Files\Fortinet\FortiClient\FortiProxy.exe:*:Disabled:FortiClient Proxy Service"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Disabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe:*:Disabled:KTF MUSIC AoD Server"
"C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe"="C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe:*:Disabled:KTF MUSIC VoD Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-01-15 11:33:52 ----A---- C:\WINDOWS\system32\cmd.exe
2010-01-14 09:09:35 ----D---- C:\Program Files\trend micro
2010-01-14 09:09:21 ----D---- C:\rsit
2010-01-12 18:25:00 ----A---- C:\WINDOWS\system32\FsUsbExService.Exe
2010-01-12 18:25:00 ----A---- C:\WINDOWS\system32\FsUsbExDevice.Dll
2010-01-12 18:21:41 ----D---- C:\Program Files\MarkAny
2010-01-11 19:03:06 ----D---- C:\Program Files\DIFX
2010-01-11 08:27:36 ----D---- C:\WINDOWS\system32\NtmsData
2010-01-11 06:51:58 ----A---- C:\WINDOWS\ModemLog_SAMSUNG Mobile USB Modem #4.txt
2010-01-10 15:26:27 ----D---- C:\ConvertTemp
2010-01-08 18:19:21 ----HDC---- C:\WINDOWS\ie8
2010-01-07 17:22:29 ----A---- C:\WINDOWS\system32\lsdelete.exe
2010-01-07 16:05:29 ----HDC---- C:\Documents and Settings\All Users.WINDOWS\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-07 14:50:29 ----D---- C:\Program Files\Google
2010-01-07 14:47:49 ----D---- C:\Program Files\Lavasoft
2010-01-07 14:47:49 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2010-01-04 09:30:43 ----D---- C:\Program Files\TrendMicro
2010-01-02 16:51:51 ----D---- C:\Program Files\Ashkon Software
2009-12-27 13:00:42 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-12-24 12:03:17 ----D---- C:\Samegame
2009-12-17 08:00:57 ----DC---- C:\WINDOWS\system32\DRVSTORE

======List of files/folders modified in the last 1 months======

2010-01-16 21:00:27 ----A---- C:\WINDOWS\ModemLog_SAMSUNG Mobile USB Modem.txt
2010-01-16 17:52:18 ----D---- C:\WINDOWS\Prefetch
2010-01-16 12:50:06 ----D---- C:\Documents and Settings
2010-01-15 20:52:47 ----D---- C:\WINDOWS\system32\inetsrv
2010-01-15 20:45:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-15 11:41:17 ----D---- C:\From amy
2010-01-15 11:34:09 ----D---- C:\WINDOWS\Temp
2010-01-15 11:34:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-15 11:33:52 ----D---- C:\WINDOWS\system32
2010-01-15 10:54:52 ----D---- C:\Program Files\SpoonInstall
2010-01-14 16:31:29 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-14 09:09:35 ----RD---- C:\Program Files
2010-01-14 07:58:05 ----D---- C:\Documents and Settings\Mike\Application Data\FileZilla
2010-01-12 18:27:50 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-12 18:23:12 ----D---- C:\Documents and Settings\Mike\Application Data\SAMSUNG
2010-01-12 18:22:24 ----HD---- C:\Program Files\InstallShield Installation Information
2010-01-12 18:22:23 ----SHD---- C:\WINDOWS\Installer
2010-01-12 18:22:21 ----D---- C:\WINDOWS\WinSxS
2010-01-12 18:20:13 ----D---- C:\Program Files\Samsung
2010-01-12 18:12:30 ----A---- C:\WINDOWS\ModemLog_SAMSUNG Mobile USB Modem #2.txt
2010-01-12 14:46:24 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-12 14:45:42 ----RSHD---- C:\RECYCLER
2010-01-12 12:52:45 ----D---- C:\Documents and Settings\Mike\Application Data\dvdcss
2010-01-12 12:15:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-01-12 07:35:09 ----D---- C:\WINDOWS
2010-01-12 07:35:09 ----D---- C:\Program Files\Disability Management Toolkit
2010-01-12 07:27:01 ----A---- C:\WINDOWS\vbaddin.ini
2010-01-12 07:14:19 ----D---- C:\WINDOWS\Registration
2010-01-11 21:25:44 ----D---- C:\WINDOWS\Minidump
2010-01-11 19:08:22 ----D---- C:\WINDOWS\system32\drivers
2010-01-11 19:08:12 ----HD---- C:\WINDOWS\inf
2010-01-11 19:02:47 ----D---- C:\WINDOWS\system32\Samsung_USB_Drivers
2010-01-11 10:35:21 ----SD---- C:\WINDOWS\Tasks
2010-01-10 07:39:05 ----D---- C:\WINDOWS\security
2010-01-10 07:38:33 ----A---- C:\WINDOWS\ntbtlog.txt
2010-01-08 18:31:28 ----D---- C:\WINDOWS\Help
2010-01-08 18:31:28 ----D---- C:\Program Files\Internet Explorer
2010-01-08 18:24:48 ----D---- C:\WINDOWS\WBEM
2010-01-08 18:24:47 ----D---- C:\WINDOWS\system32\en-US
2010-01-08 18:23:21 ----D---- C:\WINDOWS\Media
2010-01-05 18:50:38 ----RASH---- C:\boot.ini
2010-01-05 18:50:37 ----A---- C:\WINDOWS\win.ini
2010-01-05 18:50:37 ----A---- C:\WINDOWS\system.ini
2010-01-05 10:40:57 ----D---- C:\WINDOWS\system32\Restore
2010-01-05 10:40:56 ----SHD---- C:\System Volume Information
2010-01-04 09:31:34 ----SD---- C:\Documents and Settings\Mike\Application Data\Microsoft
2009-12-17 11:55:33 ----D---- C:\Program Files\Common Files
2009-12-17 09:51:12 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-23 113504]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-23 78752]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2003-01-10 98912]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 FsUsbExDisk;FsUsbExDisk; \??\C:\WINDOWS\system32\FsUsbExDisk.SYS []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2003-04-23 90907]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-01-28 541376]
R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]
R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]
R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-03 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\System32\DRIVERS\ewusbmdm.sys [2007-03-01 88960]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 EPSONStatusAgent2;EPSON Printer Status Agent2; C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe [2001-10-25 90112]
R2 FsUsbExService;FsUsbExService; C:\WINDOWS\system32\FsUsbExService.Exe [2008-12-13 233472]
R2 IISADMIN;IIS Admin; C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 15872]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2010-01-07 1181328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2006-10-26 335872]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 15872]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2004-08-04 32768]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\System32\inetsrv\inetinfo.exe [2004-08-04 15872]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-07 135664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2004-08-04 8704]

-----------------EOF-----------------
Uninstall list
7-Zip 4.65
Acrobat.com
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AML Free Registry Cleaner 4.19
AutoRun Wizard
avast! Antivirus
Disability Management Toolkit
eDATA Unerase
EPSON Printer Software
ESET Online Scanner v3
Google Update Helper
HiJackThis
HijackThis 2.0.2
HTML Help Workshop
IcoFX 1.6.4
Intel(R) Extreme Graphics Driver
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
MSDN Library - July 2005 DVD
MTN F@stLink HSDPA Modem
PrimoPDF
SAMSUNG Mobile Composite Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio
Samsung PC Studio 3
Samsung PC Studio 3 USB Driver Installer
SiteMap Generator 0.941 (beta)
SoundMAX
The Holy Bible KJV Ver.8
The Oxford Interactive Encyclopedia
TOSHIBA Console
TOSHIBA Utilities
VeryPDF PDF2Word v3.0
VideoLAN VLC media player 0.8.6c
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows XP Service Pack 2
WinHTTrack Website Copier 3.42-2
WinRAR archiver
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 17th, 2010, 1:33 am

Step # 1: Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click No.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 17th, 2010, 9:33 am

I ran gmer.exe as instructed but kept getting "blue screen" and system restarted. After this happened six times in a row I started up in safe mode and then ran it. The logfile produced is :

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-17 14:32:01
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\agldypow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF990987E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF9909BFE]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000d3c380055
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000d3c380055 (not active ControlSet)

---- EOF - GMER 1.0.15 ----
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 18th, 2010, 1:59 am

Since GMER didn't give us much information (since you had to run it in Safe Mode), we'll try another Rootkit scanner in its place and see what it tells us:



Step # 1 Download and run SysProt

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items only:
      Process
      Kernel Modes
      SSDT
      Kernel Hooks
      Hidden Files
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 18th, 2010, 4:07 am

Sysprot ran with no problems. The results are:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: SYSTEM
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 432
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 672
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 776
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 864
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 932
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 948
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 1008
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1192
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1500
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
PID: 1560
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1740
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cisvc.exe
PID: 1752
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PID: 1808
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\FsUsbExService.Exe
PID: 1832
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 1924
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PID: 1968
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\snmp.exe
PID: 2028
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PID: 184
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 392
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 280
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
PID: 124
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxtray.exe
PID: 640
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 692
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 860
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
PID: 1120
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PID: 2068
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 2184
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PID: 2296
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2332
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 2348
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PID: 2516
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2648
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\taskmgr.exe
PID: 2920
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cidaemon.exe
PID: 3532
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cidaemon.exe
PID: 3552
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 3708
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NewPCStudio.exe
PID: 2000
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSToolboxAdd.exe
PID: 3272
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSStageSync.exe
PID: 2140
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSAlarm.exe
PID: 1436
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSDM.exe
PID: 3184
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSCM.exe
PID: 3292
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSNotifyClient.exe
PID: 3144
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSPhonebook.exe
PID: 3416
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSInternetConnector.exe
PID: 3436
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSSIMEditor.exe
PID: 3496
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\cidaemon.exe
PID: 7628
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Mike\Desktop\Malware Scan\SysProt\SysProt.exe
PID: 9900
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Mike\Desktop\Malware Scan\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EFC73000
Module End: EFC7E000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806EB780
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EC000
Module End: 806FFD80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F9DB9000
Module End: F9DBB000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F9CC9000
Module End: F9CCC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F986A000
Module End: F9898000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F9DBB000
Module End: F9DBD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F9859000
Module End: F986A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F98B9000
Module End: F98C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F9CCD000
Module End: F9CD0000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F9CD1000
Module End: F9CD5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PCIIde.sys
Service Name: PCIIde
Module Base: F9E81000
Module End: F9E82000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\PCIIDEX.SYS
Service Name: ---
Module Base: F9B39000
Module End: F9B40000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F9DBD000
Module End: F9DBF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F983B000
Module End: F9859000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F98C9000
Module End: F98D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F981C000
Module End: F983B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F97F6000
Module End: F981C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F9B41000
Module End: F9B46000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F98D9000
Module End: F98E6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F97DE000
Module End: F97F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F98E9000
Module End: F98F2000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F98F9000
Module End: F9906000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F97BF000
Module End: F97DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F97AD000
Module End: F97BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F9909000
Module End: F9918000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F9796000
Module End: F97AD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F9709000
Module End: F9796000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F96DC000
Module End: F9709000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F96C1000
Module End: F96DC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F9A69000
Module End: F9A72000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F8EDE000
Module End: F8EF5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F8ECA000
Module End: F8EDE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F9BC1000
Module End: F9BC6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F8EA7000
Module End: F8ECA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F9BC9000
Module End: F9BD0000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F9A79000
Module End: F9A86000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F9BD1000
Module End: F9BD7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F9BD9000
Module End: F9BDF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F8E93000
Module End: F8EA7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F9A89000
Module End: F9A94000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F9A99000
Module End: F9AA6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F9AA9000
Module End: F9AB8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F8E70000
Module End: F8E93000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F8DEB000
Module End: F8E70000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F8DC7000
Module End: F8DEB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F9AB9000
Module End: F9AC8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: F8DAF000
Module End: F8DC7000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F9D8D000
Module End: F9D91000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F9F5B000
Module End: F9F5C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F9AC9000
Module End: F9AD6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F9D91000
Module End: F9D94000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F8D98000
Module End: F8DAF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F9AD9000
Module End: F9AE4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F9AE9000
Module End: F9AF5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F9BE1000
Module End: F9BE6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F8D87000
Module End: F8D98000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F9AF9000
Module End: F9B02000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F9BE9000
Module End: F9BEE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F9BF1000
Module End: F9BF6000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F8D56000
Module End: F8D87000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F9B19000
Module End: F9B23000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F9DED000
Module End: F9DEF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F8D22000
Module End: F8D56000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F9DAD000
Module End: F9DB1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F9939000
Module End: F9943000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ialmkchw.sys
Service Name: {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
Module Base: F0C66000
Module End: F0C7A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ialmsbw.sys
Service Name: {6080A529-897E-4629-A488-ABA0C29B635E}
Module Base: F0C4A000
Module End: F0C66000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F9959000
Module End: F9968000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F9DF5000
Module End: F9DF7000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F9E03000
Module End: F9E05000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F9C19000
Module End: F9C1F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F9E05000
Module End: F9E07000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F9E07000
Module End: F9E09000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F9C21000
Module End: F9C26000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F9C29000
Module End: F9C31000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F9D51000
Module End: F9D54000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F0B4A000
Module End: F0B5D000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F0AF2000
Module End: F0B4A000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: F9969000
Module End: F9974000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F0ACA000
Module End: F0AF2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F0AA8000
Module End: F0ACA000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F9979000
Module End: F9982000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\StarOpen.SYS
Service Name: StarOpen
Module Base: F9C31000
Module End: F9C37000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F0A7C000
Module End: F0AA8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F0A0D000
Module End: F0A7C000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F9999000
Module End: F99A2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: F09EC000
Module End: F0A0D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: F9C41000
Module End: F9C46000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F09CB000
Module End: F09EC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F99B9000
Module End: F99C2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F9D61000
Module End: F9D64000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F99E9000
Module End: F99F2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F9C49000
Module End: F9C50000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F9D65000
Module End: F9D68000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F99F9000
Module End: F9A09000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F098B000
Module End: F09A3000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F9E0D000
Module End: F9E0F000
Hidden: Yes

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F9C61000
Module End: F9C66000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F9D85000
Module End: F9D88000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F9FE8000
Module End: F9FE9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F0893000
Module End: F0897000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: F06F5000
Module End: F070B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F0380000
Module End: F03AD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: F036B000
Module End: F0380000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F0545000
Module End: F0554000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EFFF3000
Module End: F0046000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
Service Name: FsUsbExDisk
Module Base: F068D000
Module End: F0696000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EFAB0000
Module End: EFAF1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: EFDAF000
Module End: EFDB3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ss_wh.sys
Service Name: ---
Module Base: F9E6D000
Module End: F9E6F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ss_cm.sys
Service Name: ---
Module Base: F9DDD000
Module End: F9DDF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: EF691000
Module End: EF695000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
Service Name: ---
Module Base: F9E6B000
Module End: F9E6D000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: EF2F4000
Module End: EF31E000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F9DBF000
Module End: F9DC1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F9E73000
Module End: F9E75000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F9F05000
Module End: F9F06000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F09F46B8
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: F09F4574
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: F09F4A52
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: F09F414C
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: F09F464E
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: F09F408C
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: F09F40F0
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: F09F476E
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: F09F472E
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: F09F48AE
Driver Base: F09EC000
Driver End: F0A0D000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\aspNetEmail100x3
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\copyright_rample
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\copyright_rampri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailbott
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailtopl
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailtopr
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techbotto
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techbotto
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtople
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtople
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtopri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtopri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\OT2006STEBox100W
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\sponsor_surround
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\Let ASP's Server_MapPath Find Your Database_files\13670@468x60-1,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14,120x60-2,120x60-1,125x125-2,125x800,fl1,fl2,fl3,fl4,fl5,468x60-2!125x125-
Status: Hidden

Object: C:\System Volume Information\catalog.wci
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{A0C9BC18-8A18-431C-BEDA-05BD3DF70C86}
Status: Access denied
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 18th, 2010, 3:28 pm

Step # 1: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please include C:\ComboFix.txt in your next reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 19th, 2010, 8:50 am

Hi, I ran Combofix 3 times. The first time it got as far as "completed_stage50" then "Blue screen" ......irrecoverable error. the second and third times it completed_stage50 and then showed "Deleting files" and then "Blue screen"........irrecoverable error
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 19th, 2010, 3:30 pm

Check to see if a ComboFix Log was created. It will be in either C:\ or C:\ComboFix folders. The filename is ComboFix.txt.

If you can't find the log/no log was created, try running ComboFix in Safe Mode.

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

If ComboFix completely/successfully runs in Safe Mode, post that log in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 20th, 2010, 6:27 am

Combofix ran in safe mode: (It warned me about Avast running but it was not, according to Task Manager - side effect is that Avast now loads much quicker than before)

ComboFix 10-01-18.02 - Mike 20/01/2010 7:10.5.1 - x86 MINIMAL
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 091227-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\config\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-0450378370-5296823292-175873606-5722
c:\recycler\S-1-5-21-0732690897-5620536877-750138909-4209
c:\recycler\S-1-5-21-0905955756-6409806870-023354688-3855
c:\recycler\S-1-5-21-2770555233-4373032587-795030330-1566
c:\recycler\S-1-5-21-5002190217-9793456751-402810965-8487
c:\recycler\S-1-5-21-5411365083-0977731953-003545829-8604
c:\recycler\S-1-5-21-6758628437-8084250487-622670169-5580
c:\recycler\S-1-5-21-8752334165-7653580471-865884682-8637
c:\recycler\S-1-5-21-9797235285-2677675217-958478875-4747
c:\windows\system32\Cache
c:\windows\system32\winlogon.bak

.
((((((((((((((((((((((((( Files Created from 2009-12-20 to 2010-01-20 )))))))))))))))))))))))))))))))
.

2010-01-15 09:33 . 2004-08-03 22:56 388608 -c--a-w- c:\windows\system32\dllcache\cmd.exe
2010-01-15 09:33 . 2004-08-03 22:56 388608 ----a-w- c:\windows\system32\cmd.exe
2010-01-14 07:09 . 2010-01-16 19:32 -------- d-----w- c:\program files\trend micro
2010-01-14 07:09 . 2010-01-14 07:24 -------- d-----w- C:\rsit
2010-01-12 16:25 . 2008-12-13 15:15 36608 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-01-12 16:25 . 2008-12-13 15:15 233472 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-01-12 16:25 . 2008-12-13 15:15 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-01-12 16:21 . 2010-01-12 16:21 -------- d-----w- c:\program files\MarkAny
2010-01-12 16:16 . 2010-01-12 16:16 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\Downloaded Installations
2010-01-11 17:03 . 2010-01-11 17:03 -------- d-----w- c:\program files\DIFX
2010-01-11 16:49 . 2007-05-02 09:11 15112 ----a-w- c:\windows\system32\drivers\ss_mdfl.sys
2010-01-11 16:49 . 2007-05-02 09:11 12424 ----a-w- c:\windows\system32\drivers\ss_whnt.sys
2010-01-11 16:49 . 2007-05-02 09:11 12424 ----a-w- c:\windows\system32\drivers\ss_wh.sys
2010-01-11 16:49 . 2007-05-02 09:11 109704 ----a-w- c:\windows\system32\drivers\ss_mdm.sys
2010-01-11 16:49 . 2007-05-02 09:11 83592 ----a-w- c:\windows\system32\drivers\ss_bus.sys
2010-01-11 16:49 . 2007-05-02 09:11 12424 ----a-w- c:\windows\system32\drivers\ss_cmnt.sys
2010-01-11 16:49 . 2007-05-02 09:11 12424 ----a-w- c:\windows\system32\drivers\ss_cm.sys
2010-01-11 06:27 . 2010-01-11 06:57 -------- d-----w- c:\windows\system32\NtmsData
2010-01-10 13:26 . 2010-01-10 13:26 -------- d-----w- C:\ConvertTemp
2010-01-09 21:23 . 2010-01-09 21:23 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-08 16:19 . 2010-01-08 16:21 -------- dc-h--w- c:\windows\ie8
2010-01-07 15:22 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-07 14:22 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-07 14:21 . 2010-01-07 14:21 862040 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-07 14:21 . 2010-01-07 14:21 206944 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-07 14:21 . 2010-01-07 14:21 390288 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-07 14:20 . 2010-01-07 14:20 537576 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-01-07 14:20 . 2010-01-07 14:20 370744 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-07 14:20 . 2010-01-07 14:20 194104 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-07 14:15 . 2010-01-07 14:16 6296864 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-07 14:14 . 2010-01-07 14:15 933120 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-07 14:14 . 2010-01-07 14:14 816272 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-07 14:14 . 2010-01-07 14:14 822904 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-07 14:13 . 2010-01-07 14:14 1643272 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-07 14:13 . 2010-01-07 14:13 788880 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-07 14:13 . 2010-01-07 14:13 1181328 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-07 14:05 . 2010-01-07 14:05 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-07 14:05 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-07 12:54 . 2010-01-07 12:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-07 12:50 . 2010-01-07 12:50 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-01-07 12:50 . 2010-01-07 12:51 -------- d-----w- c:\program files\Google
2010-01-07 12:47 . 2010-01-07 14:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-01-07 12:47 . 2010-01-07 12:47 -------- d-----w- c:\program files\Lavasoft
2010-01-04 07:31 . 2010-01-04 07:31 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-04 07:30 . 2010-01-04 07:30 -------- d-----w- c:\program files\TrendMicro
2010-01-02 14:51 . 2010-01-02 14:51 -------- d-----w- c:\program files\Ashkon Software
2009-12-24 10:03 . 2009-12-24 10:03 -------- d-----w- C:\Samegame

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-16 09:41 . 2009-07-21 12:31 -------- d-----w- c:\documents and settings\Mike\Application Data\dvdcss
2010-01-15 08:54 . 2009-10-16 11:25 -------- d-----w- c:\program files\SpoonInstall
2010-01-14 05:58 . 2009-06-06 19:14 -------- d-----w- c:\documents and settings\Mike\Application Data\FileZilla
2010-01-12 16:23 . 2009-06-06 19:29 -------- d-----w- c:\documents and settings\Mike\Application Data\SAMSUNG
2010-01-12 16:22 . 2009-06-06 19:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-12 16:20 . 2009-06-06 19:25 -------- d-----w- c:\program files\Samsung
2010-01-12 12:46 . 2009-06-07 13:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-01-12 10:15 . 2009-06-07 13:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-12 05:35 . 2009-12-04 12:24 -------- d-----w- c:\program files\Disability Management Toolkit
2009-12-16 13:40 . 2009-12-16 13:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Applications
2009-12-06 17:13 . 2009-12-06 17:02 -------- d-----w- c:\program files\Little Registry Cleaner
2009-12-06 15:45 . 2009-10-17 05:51 -------- d-----w- c:\documents and settings\Mike\Application Data\Uniblue
2009-12-05 19:01 . 2009-12-05 18:58 -------- d-----w- c:\documents and settings\Mike\Application Data\IcoFX
2009-12-05 18:58 . 2009-12-05 18:58 -------- d-----w- c:\program files\IcoFX 1.6
2009-12-04 07:14 . 2009-12-04 07:14 286720 ------w- c:\windows\Setup1.exe
2009-12-04 07:14 . 2009-09-10 15:35 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-24 15:50 . 2009-11-24 15:50 -------- d-----w- c:\program files\Common Files\EPSON
2009-11-24 15:50 . 2009-11-24 15:49 -------- d-----w- c:\program files\EPSON
2009-11-14 14:55 . 2009-11-14 14:55 2678 ----a-w- c:\windows\java\Packages\Data\VZJX73P7.DAT
2009-11-14 14:55 . 2009-11-14 14:55 2678 ----a-w- c:\windows\java\Packages\Data\X33NNRBF.DAT
2009-11-14 14:55 . 2009-11-14 14:55 2678 ----a-w- c:\windows\java\Packages\Data\HFB5R7HZ.DAT
2009-11-14 14:55 . 2009-11-14 14:55 2678 ----a-w- c:\windows\java\Packages\Data\H39B5ZDB.DAT
2009-11-14 14:55 . 2009-11-14 14:55 2678 ----a-w- c:\windows\java\Packages\Data\97L7DZ73.DAT
.

------- Sigcheck -------

[-] 2009-07-07 . 6225F14B8CE08CCBA8B25AD27843C674 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[7] 2004-08-03 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2003-07-07 . 2246D8D8F4714A2CEDB21AB9B1849ABB . 516608 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2008-12-13 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"PmProxy"="c:\program files\Analog Devices\SoundMAX\PmProxy.exe" [2003-02-28 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-04-06 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-04-06 114688]

c:\documents and settings\Mike\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
OneNote Table Of Contents.onetoc2 [2009-10-21 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 15:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C42 Series]
2002-02-19 03:03 74240 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C42 Series (Copy 1)]
2002-02-19 03:03 74240 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\MTN F@stLink HSDPA Modem\\MTN F@stLink HSDPA Modem.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/01/2010 04:22 PM 64288]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [06/06/2009 11:52 AM 114768]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [12/01/2010 06:25 PM 36608]
.
Contents of the 'Scheduled Tasks' folder

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 12:50]

2010-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-07 12:50]

2010-01-20 c:\windows\Tasks\User_Feed_Synchronization-{FAA3E277-FA74-4F65-944C-329623AFD6C2}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: facebook.com\login
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-antike - wingate32.exe
HKLM-Run-NPSStartup - (no file)
HKU-Default-Run-antike - wingate32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 07:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-20 07:35:15
ComboFix-quarantined-files.txt 2010-01-20 05:35

Pre-Run: 10,579,423,232 bytes free
Post-Run: 10,588,745,728 bytes free

- - End Of File - - BDFD5D3E98EABAABB0674248C3BB76B2
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 20th, 2010, 3:49 pm

Step # 1 Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\system32\winlogon.exe
Click Submit.
Please post the results of this scan to this thread.

If Jotti is busy, Go to VirusTotal and scan the file(s) there.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: BROWSER BEING HIJACKED

Unread postby mikeg » January 21st, 2010, 5:03 am

The sysprot log as requested.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: SYSTEM
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 432
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 460
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 508
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 528
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 676
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 744
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 780
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 824
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 908
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PID: 948
Hidden: No
Window Visible: No

Name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 960
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashServ.exe
PID: 1016
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1376
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1392
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1592
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PID: 1628
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\FsUsbExService.Exe
PID: 1680
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\inetsrv\inetinfo.exe
PID: 1800
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PID: 1828
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\snmp.exe
PID: 1900
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PID: 1940
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
PID: 440
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PID: 632
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 692
Hidden: No
Window Visible: No

Name: C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
PID: 708
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\igfxtray.exe
PID: 812
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hkcmd.exe
PID: 872
Hidden: No
Window Visible: No

Name: C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
PID: 1216
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 1268
Hidden: No
Window Visible: No

Name: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PID: 2092
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 2220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wscntfy.exe
PID: 2364
Hidden: No
Window Visible: No

Name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PID: 2388
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\taskmgr.exe
PID: 2744
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2892
Hidden: No
Window Visible: No

Name: C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
PID: 7572
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Mike\Desktop\Malware Scan\SysProt\SysProt.exe
PID: 7584
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Mike\Desktop\Malware Scan\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EFF0D000
Module End: EFF18000
Hidden: No

Module Name: \WINDOWS\system32\ntoskrnl.exe
Service Name: ---
Module Base: 804D7000
Module End: 806EB780
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806EC000
Module End: 806FFD80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F9DB9000
Module End: F9DBB000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F9CC9000
Module End: F9CCC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F986A000
Module End: F9898000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F9DBB000
Module End: F9DBD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F9859000
Module End: F986A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F98B9000
Module End: F98C2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: F9CCD000
Module End: F9CD0000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: F9CD1000
Module End: F9CD5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PCIIde.sys
Service Name: PCIIde
Module Base: F9E81000
Module End: F9E82000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\PCIIDEX.SYS
Service Name: ---
Module Base: F9B39000
Module End: F9B40000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\intelide.sys
Service Name: IntelIde
Module Base: F9DBD000
Module End: F9DBF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: F983B000
Module End: F9859000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F98C9000
Module End: F98D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F981C000
Module End: F983B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F97F6000
Module End: F981C000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F9B41000
Module End: F9B46000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F98D9000
Module End: F98E6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F97DE000
Module End: F97F6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F98E9000
Module End: F98F2000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F98F9000
Module End: F9906000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltmgr.sys
Service Name: FltMgr
Module Base: F97BF000
Module End: F97DE000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F97AD000
Module End: F97BF000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Lbd.sys
Service Name: Lbd
Module Base: F9909000
Module End: F9918000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F9796000
Module End: F97AD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F9709000
Module End: F9796000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F96DC000
Module End: F9709000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F96C1000
Module End: F96DC000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: F9B19000
Module End: F9B22000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Service Name: ialm
Module Base: F9662000
Module End: F9679000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F964E000
Module End: F9662000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: F9BE9000
Module End: F9BEE000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F962B000
Module End: F964E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F9BF1000
Module End: F9BF8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F9B29000
Module End: F9B36000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F9BF9000
Module End: F9BFF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F9C01000
Module End: F9C07000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F9617000
Module End: F962B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F9939000
Module End: F9944000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F9949000
Module End: F9956000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F9959000
Module End: F9968000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ks.sys
Service Name: ---
Module Base: F95F4000
Module End: F9617000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\smwdm.sys
Service Name: smwdm
Module Base: F956F000
Module End: F95F4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: F954B000
Module End: F956F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F9969000
Module End: F9978000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\aeaudio.sys
Service Name: aeaudio
Module Base: F9533000
Module End: F954B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: F9D81000
Module End: F9D85000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F9F30000
Module End: F9F31000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F9979000
Module End: F9986000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F9D85000
Module End: F9D88000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F951C000
Module End: F9533000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F9989000
Module End: F9994000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F9999000
Module End: F99A5000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F9C09000
Module End: F9C0E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F950B000
Module End: F951C000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F99A9000
Module End: F99B2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F9C11000
Module End: F9C16000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F9C19000
Module End: F9C1E000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F94DA000
Module End: F950B000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F99C9000
Module End: F99D3000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F9DDF000
Module End: F9DE1000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\update.sys
Service Name: Update
Module Base: F947E000
Module End: F94B2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F9DA1000
Module End: F9DA5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F99D9000
Module End: F99E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ialmkchw.sys
Service Name: {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
Module Base: F13C2000
Module End: F13D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ialmsbw.sys
Service Name: {6080A529-897E-4629-A488-ABA0C29B635E}
Module Base: F13A6000
Module End: F13C2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F9A19000
Module End: F9A28000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F9DE3000
Module End: F9DE5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F9DFB000
Module End: F9DFD000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F9C49000
Module End: F9C4F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F9DFD000
Module End: F9DFF000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F9DFF000
Module End: F9E01000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F9C51000
Module End: F9C56000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F9C59000
Module End: F9C61000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F9D51000
Module End: F9D54000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: F12A6000
Module End: F12B9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: F124E000
Module End: F12A6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Service Name: aswTdi
Module Base: F9A69000
Module End: F9A74000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: F1226000
Module End: F124E000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: F1204000
Module End: F1226000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F9A79000
Module End: F9A82000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\StarOpen.SYS
Service Name: StarOpen
Module Base: F9C61000
Module End: F9C67000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: F11D8000
Module End: F1204000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: F1169000
Module End: F11D8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F9A99000
Module End: F9AA2000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS
Service Name: aswSP
Module Base: F1148000
Module End: F1169000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Service Name: Aavmker4
Module Base: F9C71000
Module End: F9C76000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: F1127000
Module End: F1148000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F9AB9000
Module End: F9AC2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Service Name: HidUsb
Module Base: F94CA000
Module End: F94CD000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F9AE9000
Module End: F9AF2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F9C79000
Module End: F9C80000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F9AF9000
Module End: F9B09000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F94C6000
Module End: F94C9000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F10E7000
Module End: F10FF000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F9E03000
Module End: F9E05000
Hidden: Yes

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F9C91000
Module End: F9C96000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: F946A000
Module End: F946D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F9E98000
Module End: F9E99000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: F0FDB000
Module End: F0FDF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Service Name: aswMon2
Module Base: F0E51000
Module End: F0E67000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: F0BE4000
Module End: F0BF9000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: F0BB7000
Module End: F0BE4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: F0F47000
Module End: F0F56000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\srv.sys
Service Name: Srv
Module Base: F083F000
Module End: F0892000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: F020C000
Module End: F024D000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\FsUsbExDisk.SYS
Service Name: FsUsbExDisk
Module Base: F02DD000
Module End: F02E6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Service Name: aswRdr
Module Base: F0C1D000
Module End: F0C21000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ss_wh.sys
Service Name: ---
Module Base: F9DF5000
Module End: F9DF7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ss_cm.sys
Service Name: ---
Module Base: F9DD7000
Module End: F9DD9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Service Name: AsyncMac
Module Base: EFE35000
Module End: EFE39000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
Service Name: ---
Module Base: F9E31000
Module End: F9E33000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: EFC5E000
Module End: EFC88000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F9DBF000
Module End: F9DC1000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F9E0B000
Module End: F9E0D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F9F3A000
Module End: F9F3B000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F11506B8
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: F1150574
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: F1150A52
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: F115014C
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: F115064E
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: F115008C
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: F11500F0
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: F115076E
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: F115072E
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: F11508AE
Driver Base: F1148000
Driver End: F1169000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\aspNetEmail100x3
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\copyright_rample
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\copyright_rampri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailbott
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailtopl
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_emailtopr
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techbotto
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techbotto
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtople
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtople
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtopri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\corner_techtopri
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\OT2006STEBox100W
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\KBAlertz_com This step-by-step article describes how to use HTTPS to encrypt messages that must be secure and send these messages to Internet Information Services (IIS) servers_files\sponsor_surround
Status: Hidden

Object: C:\Documents and Settings\Mike\Desktop\Web Site Scripts\Let ASP's Server_MapPath Find Your Database_files\13670@468x60-1,cp1,cp2,cp3,cp4,cp5,cp6,cp7,cp8,cp9,cp10,cp11,cp12,cp13,cp14,120x60-2,120x60-1,125x125-2,125x800,fl1,fl2,fl3,fl4,fl5,468x60-2!125x125-
Status: Hidden

Object: C:\System Volume Information\catalog.wci
Status: Access denied

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{A0C9BC18-8A18-431C-BEDA-05BD3DF70C86}
Status: Access denied
mikeg
Active Member
 
Posts: 9
Joined: January 9th, 2010, 2:13 pm

Re: BROWSER BEING HIJACKED

Unread postby km2357 » January 21st, 2010, 3:33 pm

I didn't ask for a SysProt Log.

Did you misread the directions in my previous post?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3204
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware