Active Redirecting maleware

AronB1980 · 2010/02/06

Windows internet explorer im gonna downloan that progreamme and follow instructions now, brb

AronB1980 · 2010/02/07

sorry for the delay

msnmsgupdater.exe;C:\WINDOWS;BackDoor.IRC.Sdbot.4671;Deleted.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:41:03, on 08/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263926685859
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263926662515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DECBDDC-EFDC-4749-93DF-74EE8BB50383}: NameServer = 93.188.162.100,93.188.166.43
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8234 bytes

broni · 2010/02/07

Please download [color= "#CC0000"]The Avenger[/color] by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select Extract All...
- Follow the prompts and extract the avenger folder to your desktop

Double click on avenger.exe.
Click OK in pop-up window.

Avenger window will open.

Click on Execute button.
Click OK in two consecutive pop-up windows.

Your computer will re-boot now.

Upon re-boot, Notepad window will open.
Select all text, copy it, and paste it into next reply.

NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.

AronB1980 · 2010/02/07

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

broni · 2010/02/07

One more...

Download [color= "#FF0000"]RootRepeal.zip[/color] (Mirror1, Mirror2) and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. [color= "red"]DO NOT[/color] run any other programs while the scan is running

When the scan is complete, the Save Report button will become available

Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

AronB1980 · 2010/02/07

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/02/08 05:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB39C7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C1000 Size: 8192 File Visible: No Signed: -
Status: -

Name: kjok.sys
Image Path: kjok.sys
Address: 0xF75F7000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3246000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\aron\local settings\temp\~df58db.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\aron\local settings\temp\~df92f7.tmp
Status: Allocation size mismatch (API: 40960, Raw: 0)

Path: c:\documents and settings\aron\local settings\application data\microsoft\internet explorer\recovery\active\{f9ec462a-146d-11df-ae5d-0011d8c79137}.dat
Status: Size mismatch (API: 239104, Raw: 232448)

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\EA SPORTS GFC.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\ICSharpCode.SharpZipLib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\ICSharpCode.SharpZipLib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Interop.NetFwTypeLib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Win32Interop.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Win32Interop.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\WPF.Themes.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\WPF.Themes.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Xceed.Wpf.DataGrid.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Xceed.Wpf.DataGrid.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Xceed.Wpf.Controls.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Xceed.Wpf.Controls.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\zlib.net.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\zlib.net.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Common.XmlSerializers.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Common.XmlSerializers.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Common.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Controls.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Controls.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Common.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\EA SPORTS GFC.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Interop.NetFwTypeLib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.ClientService.Models.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.ClientService.Models.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.AddOns.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.AddOns.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.MurmurHash.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.MurmurHash.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\CurseClient.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\CurseClient.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Enumerations.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.CurseClient.Enumerations.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.DownloadSecurity.Tokens.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\49XZ6XEJ.TWC\52QKEZV8.DO4\manifests\Curse.DownloadSecurity.Tokens.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.ClientService.Models.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.ClientService.Models.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.AddOns.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.AddOns.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.MurmurHash.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.MurmurHash.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\CurseClient.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\CurseClient.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Enumerations.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Enumerations.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\ICSharpCode.SharpZipLib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\ICSharpCode.SharpZipLib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Interop.NetFwTypeLib.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Interop.NetFwTypeLib.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Win32Interop.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Win32Interop.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\WPF.Themes.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\WPF.Themes.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Xceed.Wpf.DataGrid.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Xceed.Wpf.DataGrid.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Xceed.Wpf.Controls.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Xceed.Wpf.Controls.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\zlib.net.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\zlib.net.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Common.XmlSerializers.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Common.XmlSerializers.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.DownloadSecurity.Tokens.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.DownloadSecurity.Tokens.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Common.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Common.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Controls.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Controls.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\manifests\Curse.CurseClient.Localization.cdf-ms
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf7876e52

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf7857cde

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf7857ed0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xb5dc4cac

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf7877640

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf78778f4

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xb5dc4cca

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7875b44

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xb5dc4c98

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xb5dc4c9d

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf7877d60

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xb5dc4cd4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xb5dc4ccf

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf7877112

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb3b990b0

Stealth Objects
-------------------
Object: Hidden Handle [Index: 516, Type: Key]
Process: Explorer.EXE (PID: 1912) Address: 0xe2e94fb8 Size: -

Object: Hidden Handle [Index: 1128, Type: Key]
Process: Explorer.EXE (PID: 1912) Address: 0xe3fe0550 Size: -

Object: Hidden Handle [Index: 1760, Type: Key]
Process: Explorer.EXE (PID: 1912) Address: 0xe483e188 Size: -

==EOF==

broni · 2010/02/07

Re-run RootRepeal, click on "Drivers" tab, right click on kjok.sys file and click "Wipe, Copy and Delete ".
Restart computer and check for redirection.

AronB1980 · 2010/02/07

When i try to wipe it says "Invalid path "

broni · 2010/02/07

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::

Folder::

Driver::
kjok

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

AronB1980 · 2010/02/07

ComboFix 10-02-07.06 - Aron 08/02/2010 5:37.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3071.2620 [GMT 0:00]
Running from: c:\documents and settings\Aron\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Aron\My Documents\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Aron\.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-08 to 2010-02-08 )))))))))))))))))))))))))))))))
.

2010-02-08 05:35 . 2010-02-08 05:35 -------- d-----w- C:\32788R22FWJFW
2010-02-07 05:46 . 2010-02-07 16:17 -------- d-----w- c:\documents and settings\Aron\DoctorWeb
2010-02-06 18:13 . 2010-02-06 18:13 -------- d-----w- c:\documents and settings\Aron\Application Data\Malwarebytes
2010-02-06 18:13 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 18:13 . 2010-02-06 18:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 18:13 . 2010-02-06 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 18:13 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 08:28 . 2010-02-06 08:28 18944 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 08:27 . 2010-02-06 08:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-06 08:17 . 2010-02-06 08:17 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-06 08:17 . 2010-02-06 08:17 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-06 08:16 . 2010-02-06 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-06 08:16 . 2010-02-06 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2010-02-06 08:15 . 2010-02-06 08:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-06 07:57 . 2010-02-06 07:57 52224 ----a-w- c:\documents and settings\Aron\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-06 07:57 . 2010-02-06 08:03 117760 ----a-w- c:\documents and settings\Aron\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-06 07:57 . 2010-02-06 07:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-06 07:57 . 2010-02-06 07:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-06 07:57 . 2010-02-06 07:57 -------- d-----w- c:\documents and settings\Aron\Application Data\SUPERAntiSpyware.com
2010-02-04 10:53 . 2010-02-04 10:53 -------- d-----w- c:\program files\Trend Micro
2010-02-04 09:24 . 2010-02-04 09:24 -------- d-----w- c:\program files\Common Files\Java
2010-02-04 09:24 . 2010-02-04 09:24 503808 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50a94dd9-n\msvcp71.dll
2010-02-04 09:24 . 2010-02-04 09:24 499712 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50a94dd9-n\jmc.dll
2010-02-04 09:24 . 2010-02-04 09:24 348160 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-50a94dd9-n\msvcr71.dll
2010-02-04 09:24 . 2010-02-04 09:24 61440 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55cd67d3-n\decora-sse.dll
2010-02-04 09:24 . 2010-02-04 09:24 12800 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-55cd67d3-n\decora-d3d.dll
2010-02-04 08:25 . 2010-02-04 08:25 -------- d-----w- c:\documents and settings\Aron\Local Settings\Application Data\Threat Expert
2010-01-28 03:33 . 2010-01-28 03:33 -------- d-----w- c:\documents and settings\Aron\Local Settings\Application Data\CurseClient
2010-01-24 21:48 . 2008-04-14 00:12 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-01-19 19:55 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-01-19 19:55 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-01-19 19:55 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-01-19 19:55 . 2010-01-19 19:55 -------- d-----w- c:\program files\Avira
2010-01-19 19:55 . 2010-01-19 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-01-19 19:19 . 2010-01-19 19:19 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-19 19:14 . 2010-01-19 19:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-19 19:04 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-17 03:23 . 2010-01-17 03:23 -------- d-----w- c:\documents and settings\Aron\Local Settings\Application Data\Blizzard Entertainment
2010-01-16 19:45 . 2010-02-02 06:02 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-01-14 00:19 . 2009-12-12 14:15 178176 ----a-w- c:\windows\system32\unrar.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-08 04:55 . 2009-05-29 17:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-08 04:42 . 2009-09-13 04:13 1000264 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-02-07 16:20 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-06 07:56 . 2009-05-29 14:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-04 11:19 . 2010-02-04 08:24 -------- d-----w- c:\program files\Spyware Doctor
2010-02-04 09:24 . 2009-05-29 06:36 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 08:25 . 2009-12-31 04:46 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-04 08:24 . 2010-02-04 08:24 -------- d-----w- c:\documents and settings\Aron\Application Data\PC Tools
2010-02-04 08:24 . 2010-02-04 08:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-03 15:11 . 2009-05-29 14:04 -------- d-----w- c:\program files\World of Warcraft
2010-01-22 23:15 . 2009-10-27 17:20 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-19 19:14 . 2009-05-29 20:31 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-19 18:38 . 2009-07-07 01:07 -------- d-----w- c:\documents and settings\Aron\Application Data\NCH Swift Sound
2010-01-19 18:38 . 2009-10-23 00:58 -------- d-----w- c:\program files\Unity
2010-01-19 18:35 . 2009-09-13 02:49 -------- d-----w- c:\program files\Curse
2010-01-14 00:22 . 2009-12-31 04:39 -------- d-----w- c:\program files\Free Download Manager
2010-01-09 12:38 . 2009-12-31 07:24 152576 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-09 12:37 . 2009-12-31 07:24 79488 ----a-w- c:\documents and settings\Aron\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 04:59 . 2009-12-31 04:59 -------- d-----w- c:\program files\QuickTime
2009-12-31 04:55 . 2009-10-29 22:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-31 04:55 . 2009-10-29 22:47 -------- d-----w- c:\program files\Sony Ericsson
2009-12-31 04:53 . 2009-07-20 23:55 -------- d-----w- c:\program files\Common Files\Real
2009-12-31 04:53 . 2009-12-31 04:53 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-31 04:52 . 2009-07-20 23:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-31 04:52 . 2009-07-20 23:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-31 04:52 . 2009-12-31 04:52 -------- d-----w- c:\program files\real
2009-12-31 04:50 . 2009-05-29 21:08 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-31 04:50 . 2010-02-06 08:14 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-31 04:50 . 2009-12-31 04:50 38784 ----a-w- c:\documents and settings\Aron\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-31 04:50 . 2009-12-31 04:50 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-31 04:48 . 2009-12-31 04:48 -------- d-----w- c:\documents and settings\Aron\Application Data\Registry Mechanic
2009-12-31 03:43 . 2009-12-31 03:43 -------- d-----w- c:\documents and settings\Aron\Application Data\Mael
2009-12-28 11:57 . 2009-12-28 11:57 -------- d-----w- c:\documents and settings\Aron\Application Data\Datel
2009-12-28 11:54 . 2009-12-28 11:54 -------- d-----w- c:\program files\Datel
2009-12-21 19:14 . 2004-09-29 18:47 916480 ------w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-10 10:28 . 2010-02-04 08:24 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-10 10:28 . 2010-02-04 08:24 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-10 10:28 . 2010-02-04 08:24 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-10 10:26 . 2010-02-04 08:24 767952 ----a-w- c:\windows\BDTSupport.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2010-02-07 16:20 . EC04245E83AF4B7BD43E52E0F48FB871 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-04-30 13750272]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Aron\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-2-6 0]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Aron^Start Menu^Programs^Startup^CurseClientStartup.ccip]
backup=c:\windows\pss\CurseClientStartup.ccipStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Aron^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 22:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 16:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2005-09-21 14:32 2807808 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 14:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-28 20:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 15:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-30 23:30 13750272 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-04-30 23:30 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-04-30 23:31 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-11-25 15:42 3176408 ----a-w- c:\program files\Registry Mechanic\RegMech.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2009-09-24 14:41 434176 ----a-w- c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-21 09:24 86016 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-31 04:52 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service "=3 (0x3)
"idsvc "=3 (0x3)
"gusvc "=3 (0x3)
"Bonjour Service "=2 (0x2)
"Apple Mobile Device "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.1-to-3.0.2-enGB-Win-Update-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\Launcher.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe "=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enGB-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enGB-downloader.exe "=
"c:\\Program Files\\Curse\\CurseClient.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enGB-downloader.exe "=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enGB-downloader.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Documents and Settings\\Aron\\Local Settings\\Apps\\2.0\\7N737CHM.6M5\\7TW94EXT.1GN\\curs..tion_eee711038731a406_0004.0000_1430d97334050788\\CurseClient.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP "= 3724:TCP:Blizzard Downloader: 3724

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/02/2010 08:24 207792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/01/2010 19:55 108289]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [04/02/2010 08:24 112592]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [19/01/2010 23:02 583640]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [31/12/2009 04:56 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [31/12/2009 04:55 90112]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [29/10/2009 22:56 13224]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [29/10/2009 22:48 86696]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [29/10/2009 22:48 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [29/10/2009 22:48 114472]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [29/10/2009 22:48 108328]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [29/10/2009 22:48 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [29/10/2009 22:48 104616]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [29/10/2009 22:48 109736]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/02/2010 08:24 359624]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk
mStart Page = hxxp://uk.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
TCP: {3DECBDDC-EFDC-4749-93DF-74EE8BB50383} = 93.188.162.100,93.188.166.43
FF - ProfilePath - c:\documents and settings\Aron\Application Data\Mozilla\Firefox\Profiles\yqbk26d3.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-msnmsgupdate - msnmsgupdater.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-08 05:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-08 05:42:52
ComboFix-quarantined-files.txt 2010-02-08 05:42
ComboFix2.txt 2010-02-05 07:09

Pre-Run: 211,525,046,272 bytes free
Post-Run: 211,568,828,416 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CA1B18EA65A9C678658D6F6C1A7A18DE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:44:14, on 08/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Aron\Local Settings\Apps\2.0\7N737CHM.6M5\7TW94EXT.1GN\curs..tion_eee711038731a406_0004.0000_1430d97334050788\CurseClient.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Documents and Settings\Aron\My Documents\RootRepeal.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263926685859
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263926662515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DECBDDC-EFDC-4749-93DF-74EE8BB50383}: NameServer = 93.188.162.100,93.188.166.43
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8369 bytes

broni · 2010/02/07

You already have The Avenger, so skip first step from the following manual...

1. Please download The Avenger to your Desktop.

Right click on the Avenger.zip folder and select "Extract All... "

Follow the prompts and extract the Avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Code:
Begin copying here:
Files to move:
C:\WINDOWS\system32\dllcache\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.

You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.

Click on Execute

Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete ", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command windowon your desktop, this is normal.

After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

AronB1980 · 2010/02/08

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\dllcache\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

broni · 2010/02/08

OK. How are the issue at the moment?

AronB1980 · 2010/02/08

I only get redirected to askjeves sometimes but my windows update still wont work infact hardly any of my programmes update atm

broni · 2010/02/08

We may be looking into some other, than infection culprits, but let's check couple more things.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
Double-click SystemLook.exe to run it.

Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
:filefind
kjok.sys
Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Log in or Sign up

Active Redirecting maleware

AronB1980 Inactive Thread Starter

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active Redirecting maleware

AronB1980 Inactive Thread Starter

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

AronB1980 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches