Solved Redirects, constantly kicked off/on internet, and router hacked?

ohsogirly · 2009/06/01

[Resolved] Redirects, constantly kicked off/on internet, and router hacked?

Hello WindowsBBS,

I just wanted to assure you that I read the rules and followed them.

Below are the two reports.

Thank you very much in advance! Mary

DDS.txt

DDS (Ver_09-05-14.01) - NTFSx86
Run by Mary Garcia at 9:07:25.39 on Mon 06/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.178 [GMT -7:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
E:\Trojan Removers\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
BHO: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe "
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-explorer: HideClock = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: {58571CEB-F283-493C-92C3-4D59C728B04C} = 68.190.192.35,66.214.48.27
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-4-16 112144]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-5-9 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-20 213520]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-4-25 201992]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-4-8 194832]
R2 pnpcap;Pure Networks Packet Capture Driver;c:\windows\system32\drivers\pnpcap.sys [2009-5-15 23344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-3-25 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-4-8 19096]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r88754\ATIXPGAA.SYS [2006-10-15 12032]
S3 RegGuard;RegGuard;\??\c:\windows\system32\drivers\regguard.sys --> c:\windows\system32\drivers\regguard.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-19 353680]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S4 LinksysUpdater;Linksys Updater; "c:\program files\linksys\linksys updater\bin\linksysupdater.exe" -s "c:\program files\linksys\linksys updater\conf\wrapper.conf" --> c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [?]
S4 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-9-13 52240]

=============== Created Last 30 ================

==================== Find3M ====================

2009-05-29 02:38 868,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-29 02:38 4,048 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-29 02:38 25,076 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-29 02:38 3,071,520 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 08:36 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-05-21 08:36 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-05-02 23:08 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-05-02 23:08 361,600 a------- c:\windows\system32\dllcache\tcpip.sys
2009-04-22 15:45 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-04-13 22:45 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-04-06 14:28 389,120 a------- c:\windows\system32\dllcache\cmd.exe
2009-04-06 14:28 389,120 a------- c:\windows\system32\cmd.exe
2009-04-04 02:21 47,360 ac------ c:\docume~1\maryga~1\applic~1\pcouffin.sys
2009-04-04 02:21 87,608 a------- c:\docume~1\maryga~1\applic~1\inst.exe
2009-04-04 02:21 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-04-02 13:03 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-03-29 18:04 2,855 a------- c:\windows\system32\WISPTIS.PIF
2009-03-21 07:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-20 15:23 1,044,480 a----r-- c:\windows\system32\roboex32.dll
2009-03-20 15:23 49,152 a----r-- c:\windows\system32\inetwh32.dll
2009-03-16 20:10 256 a------- c:\documents and settings\mary garcia\pool.bin
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2007-03-06 00:07 87,608 a------- c:\docume~1\maryga~1\applic~1\ezpinst.exe
2006-09-14 06:43 369 ---sh--- c:\program files\desktop.ini
2005-04-02 08:11 60,416 a------- c:\program files\msconfig.exe
2005-08-28 14:25 178,623 ac-sh--- c:\windows\system\tnofgmi.bak1
2005-09-07 21:23 180,064 ac-sh--- c:\windows\system\tnofgmi.bak2
2008-09-22 05:01 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 9:08:36.23 ===============

[FONT= "Microsoft Sans Serif"]DDS Attach.txt[/FONT]

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/14/2005 1:18:44 PM
System Uptime: 6/1/2009 8:44:32 AM (1 hours ago)

Motherboard: Dell Inc. | | 0G7183
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1594/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 72 GiB total, 6.537 GiB free.
D: is CDROM (UDF)
E: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01A21028&REV_02\4&39A85202&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01A21028&REV_02\4&39A85202&0&00F0
Service: bcm4sbxp

==== System Restore Points ===================

RP1: 5/9/2009 6:44:30 PM - System Checkpoint
RP2: 5/11/2009 8:23:09 AM - System Checkpoint
RP3: 5/12/2009 8:50:11 AM - System Checkpoint
RP4: 5/12/2009 1:34:55 PM - Software Distribution Service 3.0
RP5: 5/13/2009 12:38:17 PM - Software Distribution Service 3.0
RP6: 5/14/2009 12:46:19 PM - System Checkpoint
RP7: 5/15/2009 2:03:30 AM - Automatic Restore Point
RP8: 5/16/2009 11:24:39 AM - System Checkpoint
RP9: 5/17/2009 11:57:52 AM - System Checkpoint
RP10: 5/18/2009 12:22:23 PM - System Checkpoint
RP11: 5/19/2009 9:59:15 PM - System Checkpoint
RP12: 5/23/2009 5:30:30 PM - System Checkpoint
RP13: 5/25/2009 9:11:22 PM - System Checkpoint
RP14: 5/26/2009 11:15:32 PM - Installed Turbo Lister 2
RP15: 5/28/2009 9:16:03 PM - Automatic Restore Point
RP16: 5/29/2009 10:29:31 PM - System Checkpoint
RP17: 5/31/2009 8:45:59 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
HijackThis 2.0.2
Malwarebytes' Anti-Malware

==== Event Viewer Messages From Past Week ========

5/28/2009 9:09:31 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/27/2009 8:50:57 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
5/27/2009 8:11:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32 Fips intelppm IPSec kl1 klbg KLIF MRxSmb NetBIOS NetBT Rdbss Tcpip Tcpip6 WS2IFSL
5/27/2009 8:11:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 8:11:23 PM, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 8:11:23 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 8:11:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/27/2009 8:10:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/27/2009 6:55:27 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pure Networks Platform Service service to connect.
5/27/2009 6:55:27 AM, error: Service Control Manager [7000] - The Pure Networks Platform Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/27/2009 6:55:26 AM, error: Service Control Manager [7024] - The TrueVector Internet Monitor service terminated with service-specific error 0 (0x0).
5/27/2009 10:13:07 PM, error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:12:41 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 10:12:29 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
5/27/2009 1:22:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 Fips intelppm kl1 klbg KLIF
5/27/2009 1:21:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

==== End Of File ===========================

broni · 2009/06/01

First of all, you're running two AV programs: Kaspersky Internet Security, and Trend Micro AntiVirus.
This is NO-NO, and one of them has to go.
Please, explain what the situation is, regarding the above issue.

Then, you need to tell us more about your problems.

When done, writing me a story .....

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

ohsogirly · 2009/06/01

Hey Broni,
Thx so much for replying. Ok, here's the long story short, ready?

Running Kaspersky and Trend Micro
I know Trend Micro is showing up when I run these HijackThis, RSIT, or DDS scans, but, going thru Add/Remove, CCcleaner, or even Revo Uninstaller it's not listed as an installed program. So i'm convinced it's hiding from me. If you can tell me how to get rid of it that'd be great.

How I think it's messed up
My 15 yr old and his friends use to go online and download **** form LimeWire, MySpace, and sites for xbox cheat codes and stuff.

Problems i'm having

Can't access Help and Support
Error received: Windows cannot find 'helpctr.exe'. Make sure you typed the name correctly, blah blah blah (i'm sure you get it the rest)

System Restore
I get a Run As pop up wanting me to pick either the Current User or The following user drop down. None of it works.

Internet Explorer Tools
You know how you can find more providers from the yahoo homepage and it brings up that other screen listing thme; Google, AOL, MSN, Wikipedia, cnet, etc. Well somehting is blocking me because I can only have utunes.

Kicked off internet 24/7
Event Viewer Log - Security
~ NOTE ~
These errors below repeat like every 10 seconds[/B][/COLOR]
576 Privilege Use, 528 Logon/Logoff, 848 Policy Change

Event Viewer Log - System
~ NOTE ~
Repeating every second
7035 and 7036 Service Control Manager, 4201 Tcpip, 3100 Tcpip6

I just got home so i'll run all the SuperAnti & Malwarebytes and post back. Question though, I purchased the license for Malwarebytes so can I just run the one I have or do you wanna fresh one incase mine is jacked up. Sorry, don't mean to talk so, I don't know.... Long day.

Thank you in advance! I really appreciate any help you can offer. Can I ask you though, glancing at my first log, what do you see? Does anything stand out or is it all just a mess? I'm trying to teach myself security (don't laugh) and am going to enroll in Malware Removal University so i'll be able to help others too.

Mary

broni · 2009/06/01

I know Trend Micro is showing up when I run these HijackThis, RSIT, or DDS scans, but, going thru Add/Remove, CCcleaner, or even Revo Uninstaller it's not listed as an installed program. So i'm convinced it's hiding from me. If you can tell me how to get rid of it that'd be great.
Click to expand...

Clear. We'll take care of it at some point.

I purchased the license for Malwarebytes so can I just run the one I have
Click to expand...

Surely. Just make sure, it's up to date.

Does anything stand out or is it all just a mess?
Click to expand...

We'll have pretty clear picture after you run those scans.

My 15 yr old and his friends use to go online and download **** form LimeWire, MySpace, and sites for xbox cheat codes and stuff.
Click to expand...

Ahh....nothing extraordinary....LOL

ohsogirly · 2009/06/02

Hi Broni,

I just wanted to let you know i'm still here and am just waiting for the SuperAntiSpyware scan to finish! I never unchecked the options that you listed above. (which obviously is giving it a thorough scan, learn something new everyday) It's been running in Safe Mode for over an hour and half.

Just thought i'd update you.

broni · 2009/06/02

No worries. I'll wake up tomorrow morning, and you may be done....LOL
That scan, and Bytes usually take an hour, sometimes more, depending on drive size.

ohsogirly · 2009/06/02

All that waiting and nothing! j/k....ok, here's the SuperAnti.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/01/2009 at 11:09 PM

Application Version : 4.26.1004

Core Rules Database Version : 3919
Trace Rules Database Version: 1863

Scan type : Complete Scan
Total Scan Time : 01:24:26

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 5444
Registry threats detected : 0
File items scanned : 68958
File threats detected : 0

broni · 2009/06/02

That's good news, so far, isn't it?

ohsogirly · 2009/06/02

Just running the HijackThis and i'll post all of the logs for you.

Thanks again...

Mary

ohsogirly · 2009/06/02

SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/01/2009 at 11:09 PM

Application Version : 4.26.1004

Core Rules Database Version : 3919
Trace Rules Database Version: 1863

Scan type : Complete Scan
Total Scan Time : 01:24:26

Memory items scanned : 238
Memory threats detected : 0
Registry items scanned : 5444
Registry threats detected : 0
File items scanned : 68958
File threats detected : 0

Mbam Log

Malwarebytes' Anti-Malware 1.37
Database version: 2212
Windows 5.1.2600 Service Pack 3

6/2/2009 6:09:16 AM
mbam-log-2009-06-02 (06-09-16).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 177475
Time elapsed: 1 hour(s), 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER log
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-02 17:21:47
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xBA78EA72]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xBA78F01E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xBA790A82]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xBA790438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xBA78E1E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xBA7923E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xBA78EE1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xBA78E62A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xBA78E82A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xBA790744]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xBA7928F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xBA78E940]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xBA78E9A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xBA7905FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xBA791EA8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xBA790294]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xBA78E34A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xBA78EC40]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xBA79240E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xBA78EB96]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xBA78EA10]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xBA78E714]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xBA78E4F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xBA792110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xBA78DE6A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xBA79130C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xBA78DFCC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xBA7927C0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xBA78DC68]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xBA790924]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xBA78EF18]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xBA791FA2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xBA792438]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xBA78E3A0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xBA79251C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xBA792648]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xBA791DD4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xBA78ECEA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xBA78ED5C]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 78 804E26D4 4 Bytes JMP F9B4BA78
.text ntoskrnl.exe!_abnormal_termination + F0 804E274C 4 Bytes CALL E908A032
.text ntoskrnl.exe!_abnormal_termination + 150 804E27AC 8 Bytes CALL 8792E229
.text ntoskrnl.exe!_abnormal_termination + 168 804E27C4 4 Bytes JMP 0B29E241
.text ntoskrnl.exe!_abnormal_termination + 170 804E27CC 4 Bytes JMP D7A6E249
.text ...
.text ntoskrnl.exe!IoIsOperationSynchronous 804E875A 5 Bytes JMP BA7A55A2 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512919 5 Bytes JMP BA7A51E8 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[336] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[336] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 35]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[476] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[476] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 35]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 82939670
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 82939670
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[TDI.SYS!TdiRegisterDeviceObject] 82939670
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\drivers\ip6fw.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\System32\Drivers\Udfs.SYS[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] 82939520
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] 82939520

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \FileSystem\Fastfat \Fat B4EAFD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:576] 82977E50
Thread System [4:580] 82977E50
Thread System [4:584] 82946F80
Thread System [4:588] 82946F80
Thread System [4:596] 82946F80
Thread System [4:860] FF5D3180

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x73 0xC9 0x22 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0x63 0x56 0x0D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x97 0xA4 0x41 0xAB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x73 0xC9 0x22 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0x63 0x56 0x0D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x97 0xA4 0x41 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x73 0xC9 0x22 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0x63 0x56 0x0D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x97 0xA4 0x41 0xAB ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x73 0xC9 0x22 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0x63 0x56 0x0D ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x97 0xA4 0x41 0xAB ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x73 0xC9 0x22 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC3 0x63 0x56 0x0D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x97 0xA4 0x41 0xAB ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer@ 1

---- EOF - GMER 1.0.15 ----

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:53 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{58571CEB-F283-493C-92C3-4D59C728B04C}: NameServer = 68.190.192.35,66.214.48.27
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 2846 bytes

broni · 2009/06/02

Please download [color= "#FF8C00"]JavaRa[/color] to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

When done with updating Java, click on Remove older versions button.

=======================================================

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
- O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
- O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
- O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)

4. You may also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

ohsogirly · 2009/06/02

Hi Broni,
I will do that right now. Quick question though. I've checked marked those **** 02 BHO's a million times and they won't go away for me. Ha ha, watch it work for some amazing reason now.

Will post new HiJack in a second.

broni · 2009/06/02

Ok...

ohsogirly · 2009/06/02

Hi Broni,
Ok, here's the updated HijackThis. Do you know why those BHO's won't go away?

~ Also, I forgot to mention that I can't run msconfig from start, run. I ended up getting a direct exe download of it and have been accessing it that way ever since.

I'll wait to hear back from you.

Mary

HijackThis Log (after Java clean up)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:27 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{58571CEB-F283-493C-92C3-4D59C728B04C}: NameServer = 68.190.192.35,66.214.48.27
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 2999 bytes

broni · 2009/06/02

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

ohsogirly · 2009/06/02

Combofix is warning me that Trend Micro is running. So I didn't run it yet till I hear from you.

You had also pointed this out to me on your 1st post to me. But, I have no clue where the heck it's running from. It's not in Program Files, doesn't show in Task Manager, or Process Explorer.

How do I stop something from running when I can't find it? Btw, I can't believe i'm having to ask this. Hold in your laughter.

broni · 2009/06/02

You got my OK. Run it, and thanks for being cautious, and for asking first
We'll take care of Trend at the same time.

ohsogirly · 2009/06/03

Alrighty. Sorry for the delay. Here's the logs.

ComboFix

ComboFix 09-06-01.03 - Mary Garcia 06/02/2009 21:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.209 [GMT -7:00]
Running from: c:\documents and settings\Mary Garcia\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1205674267
c:\docume~1\MARYGA~1\APPLIC~1\inst.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\SYSTEM\tnofgmi.bak1
c:\windows\SYSTEM\tnofgmi.bak2
c:\windows\SYSTEM\tnofgmi.ini
c:\windows\system32\_003473_.tmp.dll
c:\windows\system32\_003474_.tmp.dll
c:\windows\system32\_003475_.tmp.dll
c:\windows\system32\_003476_.tmp.dll
c:\windows\system32\_003483_.tmp.dll
c:\windows\system32\_003484_.tmp.dll
c:\windows\system32\_003485_.tmp.dll
c:\windows\system32\_003486_.tmp.dll
c:\windows\system32\_003488_.tmp.dll
c:\windows\system32\_003489_.tmp.dll
c:\windows\system32\_003492_.tmp.dll
c:\windows\system32\_003493_.tmp.dll
c:\windows\system32\_003495_.tmp.dll
c:\windows\system32\_003496_.tmp.dll
c:\windows\system32\_003497_.tmp.dll
c:\windows\system32\_003499_.tmp.dll
c:\windows\system32\_003502_.tmp.dll
c:\windows\system32\_003503_.tmp.dll
c:\windows\system32\_003507_.tmp.dll
c:\windows\system32\_003508_.tmp.dll
c:\windows\system32\_003510_.tmp.dll
c:\windows\system32\_003513_.tmp.dll
c:\windows\system32\_003515_.tmp.dll
c:\windows\system32\_003516_.tmp.dll
c:\windows\system32\_003517_.tmp.dll
c:\windows\system32\_003518_.tmp.dll
c:\windows\system32\_003519_.tmp.dll
c:\windows\system32\_003522_.tmp.dll
c:\windows\system32\_003523_.tmp.dll
c:\windows\system32\_003524_.tmp.dll
c:\windows\system32\_003525_.tmp.dll
c:\windows\system32\_003526_.tmp.dll
c:\windows\system32\_003531_.tmp.dll
c:\windows\system32\_003533_.tmp.dll
c:\windows\system32\_003534_.tmp.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

----- BITS: Possible infected sites -----

hxxp://download.linksys.com
.
((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 04:31 . 2009-06-02 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 04:30 . 2009-06-02 04:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 03:34 . 2009-06-02 03:34 -------- d-----w- c:\program files\Event Log Explorer
2009-05-27 06:16 . 2009-05-27 06:16 -------- d-----w- c:\program files\eBay
2009-05-23 09:32 . 2009-05-23 22:11 -------- d-----w- c:\windows\tracing
2009-05-20 06:34 . 2009-05-20 06:35 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-05-20 03:38 . 2008-08-22 03:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2009-05-20 03:38 . 2008-08-22 03:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2009-05-20 03:37 . 2008-08-22 03:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-05-20 03:37 . 2009-05-27 13:58 -------- d-----w- c:\program files\Zone Labs
2009-05-20 03:37 . 2009-05-27 13:58 -------- d-----w- c:\windows\system32\ZoneLabs
2009-05-16 02:13 . 2008-12-14 16:20 23344 ----a-w- c:\windows\system32\drivers\pnpcap.sys
2009-05-15 09:10 . 2009-05-15 09:10 -------- d-----w- c:\documents and settings\Mary Garcia\Local Settings\Application Data\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}
2009-05-14 08:56 . 2009-05-14 08:56 -------- d-----w- c:\program files\WebEx
2009-05-14 02:57 . 2009-05-14 02:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-05-13 18:47 . 2004-08-01 01:35 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2009-05-13 18:33 . 2009-05-16 02:13 -------- d-----w- c:\program files\Pure Networks
2009-05-12 19:48 . 2009-05-12 19:48 -------- dc----w- c:\documents and settings\NetworkService.NT AUTHORITY.001\Application Data\Intel
2009-05-12 19:48 . 2009-05-12 19:48 -------- dc----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- dc----w- c:\documents and settings\Administrator\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- dc----w- c:\documents and settings\All Users\Application Data\Intel
2009-05-09 08:28 . 2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
2009-05-09 08:28 . 2008-04-14 00:11 2843136 ----a-w- c:\windows\system32\msi.dll
2009-05-09 08:28 . 2008-04-14 00:11 271360 ----a-w- c:\windows\system32\msihnd.dll
2009-05-09 08:28 . 2008-04-14 00:11 15360 ----a-w- c:\windows\system32\msisip.dll
2009-05-09 08:28 . 2008-04-13 15:39 884736 ----a-w- c:\windows\system32\msimsg.dll
2009-05-09 07:03 . 2009-05-09 07:03 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-05-08 20:54 . 2009-05-14 02:57 -------- d-----w- c:\program files\MSECACHE
2009-05-08 07:13 . 2009-05-12 06:50 -------- dc----w- C:\RootkitNO
2009-05-08 07:07 . 2009-05-08 07:07 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\RegRun
2009-05-08 06:30 . 2009-05-08 06:30 2 --shatr- c:\windows\winstart.bat
2009-05-08 05:08 . 2008-02-13 18:41 441856 ----a-w- c:\windows\RunGuard.exe
2009-05-08 05:08 . 2000-12-13 02:56 16384 ----a-w- c:\windows\WinBait.exe
2009-05-08 05:08 . 2009-05-08 07:31 -------- d-----w- c:\program files\Greatis
2009-05-08 00:41 . 2009-05-10 01:17 -------- d-----w- c:\program files\Enigma Software Group
2009-05-08 00:23 . 2009-05-08 00:23 -------- dc----w- c:\documents and settings\All Users\Application Data\CA
2009-05-07 06:52 . 2009-05-07 09:08 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\TweakNow RegCleaner
2009-05-07 06:31 . 2009-05-07 06:31 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 04:40 . 2009-02-21 05:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-03 04:38 . 2009-02-21 05:09 868384 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-03 04:38 . 2009-02-21 05:09 4048 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-03 04:38 . 2009-02-21 05:09 3071520 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-03 04:38 . 2009-02-21 05:09 25076 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-03 02:27 . 2008-12-18 06:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 02:19 . 2006-04-02 16:09 -------- d-----w- c:\program files\Java
2009-06-03 00:43 . 2008-09-14 00:27 -------- d-----w- c:\program files\Trend Micro
2009-06-02 03:38 . 2005-01-14 21:19 68408 -c--a-w- c:\documents and settings\Mary Garcia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 03:34 . 2009-03-19 06:29 -------- d-----w- c:\program files\Sysinternals
2009-05-27 20:31 . 2009-04-09 06:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 06:17 . 2005-01-07 14:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-27 05:23 . 2009-01-02 01:18 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\uTorrent
2009-05-26 20:20 . 2009-04-09 06:32 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-04-09 06:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 15:36 . 2009-02-21 05:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-21 15:36 . 2009-02-21 05:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-16 05:15 . 2007-03-06 07:07 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Vso
2009-05-14 03:22 . 2008-11-19 08:08 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Move Networks
2009-05-13 19:08 . 2006-09-18 18:03 -------- d-----w- c:\program files\Microsoft Location Finder
2009-05-13 19:08 . 2008-11-08 01:17 -------- d-----w- c:\program files\FrostWire
2009-05-13 19:08 . 2007-03-10 20:36 -------- d-----w- c:\program files\DivX
2009-05-13 19:08 . 2005-01-07 14:40 -------- d-----w- c:\program files\Apoint
2009-05-12 06:50 . 2009-03-30 20:47 -------- dc----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-05-12 06:50 . 2008-02-22 03:26 -------- dc----w- c:\documents and settings\All Users\Application Data\SyncClient
2009-05-12 06:50 . 2008-12-30 01:03 -------- d-----w- c:\program files\ConvertXtoDVD
2009-05-12 06:50 . 2008-11-08 04:21 -------- d-----w- c:\program files\DVDFab 5
2009-05-07 09:05 . 2009-04-03 23:09 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\SUPERAntiSpyware.com
2009-05-06 06:16 . 2008-12-31 10:01 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Azureus
2009-05-06 06:16 . 2008-11-08 01:18 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\FrostWire
2009-05-03 06:08 . 2009-05-15 06:23 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys.old
2009-04-22 22:45 . 2009-04-22 22:45 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-04-14 08:29 . 2009-04-14 08:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-04-14 08:14 . 2009-04-14 08:14 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Foxit
2009-04-14 08:13 . 2009-04-14 08:13 -------- d-----w- c:\program files\Foxit Software
2009-04-14 06:52 . 2009-02-03 21:44 -------- dcsh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-14 06:43 . 2009-01-30 10:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype
2009-04-14 06:42 . 2009-04-14 06:32 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2009-04-14 05:45 . 2009-04-13 14:12 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-04-12 22:08 . 2005-01-19 23:00 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Apple Computer
2009-04-07 07:14 . 2009-04-07 07:14 -------- d-----w- c:\program files\MSBuild
2009-04-07 07:14 . 2009-04-07 07:14 -------- d-----w- c:\program files\Reference Assemblies
2009-04-06 21:28 . 2008-09-19 13:44 389120 ----a-w- c:\windows\system32\cmd.exe
2009-04-04 09:21 . 2007-03-06 07:07 47360 -c--a-w- c:\docume~1\MARYGA~1\APPLIC~1\pcouffin.sys
2009-04-04 09:21 . 2007-03-06 07:07 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-04 06:27 . 2005-01-07 14:51 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-04 05:31 . 2009-04-04 05:01 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-04-04 05:27 . 2005-02-11 18:27 -------- d-----w- c:\program files\Yahoo!
2009-04-04 05:10 . 2008-05-25 23:04 -------- dc----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-02 20:03 . 2009-02-17 22:58 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-03-30 01:04 . 2009-03-30 01:04 2855 ----a-w- c:\windows\system32\WISPTIS.PIF
2009-03-24 01:34 . 2009-02-11 09:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-03-20 22:23 . 2009-03-20 22:23 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-03-20 22:23 . 2009-03-20 22:23 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-03-20 15:05 . 2009-03-20 15:05 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-03-19 21:32 . 2008-01-29 19:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 18:52 . 2008-03-20 00:29 256 -c--a-w- c:\windows\system32\pool.bin
2009-03-17 03:10 . 2009-01-21 09:09 256 ----a-w- c:\documents and settings\Mary Garcia\pool.bin
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w- c:\windows\system32\pdh.dll
2005-04-02 15:11 . 2005-04-02 15:11 60416 ----a-w- c:\program files\msconfig.exe
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[7] 2009-05-03 06:08 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2009-05-03 06:08 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-21 201992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoFileAssociate "= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [5/9/2009 12:03 AM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 pnpcap;Pure Networks Packet Capture Driver;c:\windows\SYSTEM32\DRIVERS\pnpcap.sys [5/15/2009 7:13 PM 23344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\SYSTEM32\DRIVERS\klfltdev.sys [3/13/2008 8:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [3/25/2008 9:07 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [4/8/2009 11:32 PM 19096]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/8/2009 11:32 PM 194832]
S3 ATIXPGAA;ATIXPGAA;c:\dell\Drivers\R88754\ATIXPGAA.SYS [10/15/2006 11:56 AM 12032]
S3 RegGuard;RegGuard;\??\c:\windows\system32\Drivers\regguard.sys --> c:\windows\system32\Drivers\regguard.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S4 LinksysUpdater;Linksys Updater; "c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" --> c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [?]
S4 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [9/13/2008 5:30 PM 52240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-05-10 22:35]

2009-06-03 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-05-10 17:15]

2009-05-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for Mary Garcia.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-09 20:20]

2009-02-01 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2009-01-30 21:46]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
TCP: {58571CEB-F283-493C-92C3-4D59C728B04C} = 68.190.192.35,66.214.48.27
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 21:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\ActiveSync]
"Name "= "ActiveSync "
"DisplayName "= "Microsoft ActiveSync "
"Param1 "= "ActiveSync "
"Type "= "wellknown "
"Order "=dword:00000000
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\IESettings]
"Name "= "IESettings "
"Type "= "IESettings "
"Order "=dword:00000003
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\MediaFiles]
"Name "= "MediaFiles "
"Type "= "MediaFiles "
"Order "=dword:00000002
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\NPW]
"Name "= "NPW "
"Param1 "= "NPW "
"Type "= "wellknown "
"Order "=dword:00000001
"State "=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(268)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-03 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 04:45

Pre-Run: 6,808,948,736 bytes free
Post-Run: 6,695,133,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
313 --- E O F --- 2009-05-08 08:18

Updated HijackThis after ComboFix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:16 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{58571CEB-F283-493C-92C3-4D59C728B04C}: NameServer = 68.190.192.35,66.214.48.27
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3245 bytes

broni · 2009/06/03

I'm always amazed how much stuff Combofix will find on apparently clean computer.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\zlcomm.dll
c:\windows\system32\zlcommdb.dll
c:\windows\system32\zpeng25.dll
c:\windows\winstart.bat
c:\windows\system32\zllictbl.dat
c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys

Folder::
c:\program files\Zone Labs
c:\windows\system32\ZoneLabs

Driver::
tmevtmgr

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
Click to expand...

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

ohsogirly · 2009/06/03

Here you go.

ComboFix 09-06-01.03 - Mary Garcia 06/02/2009 23:02.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.195 [GMT -7:00]
Running from: c:\documents and settings\Mary Garcia\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mary Garcia\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys "
"c:\windows\system32\zlcomm.dll "
"c:\windows\system32\zlcommdb.dll "
"c:\windows\system32\zllictbl.dat "
"c:\windows\system32\zpeng25.dll "
"c:\windows\winstart.bat "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Zone Labs
c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys
c:\windows\system32\zlcomm.dll
c:\windows\system32\zlcommdb.dll
c:\windows\system32\zllictbl.dat
c:\windows\system32\ZoneLabs
c:\windows\system32\ZoneLabs\cerbprovider.pvx
c:\windows\system32\ZoneLabs\fbl.dll
c:\windows\system32\ZoneLabs\featuremap.dll
c:\windows\system32\ZoneLabs\icslta.dll
c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
c:\windows\system32\ZoneLabs\lib\pyd\_ctypes.pyd
c:\windows\system32\ZoneLabs\lib\pyd\_socket.pyd
c:\windows\system32\ZoneLabs\lib\pyd\pyexpat.pyd
c:\windows\system32\ZoneLabs\lib\pyd\zptv.pyd
c:\windows\system32\ZoneLabs\lib\pyd\zpui.pyd
c:\windows\system32\ZoneLabs\lib\Sandbox.zip.dll
c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
c:\windows\system32\ZoneLabs\lib\zic.zip.dll
c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
c:\windows\system32\ZoneLabs\lib\zp4pc.zip.dll
c:\windows\system32\ZoneLabs\lib\zpdp.zip.dll
c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
c:\windows\system32\ZoneLabs\lib\ztv.zip.dll
c:\windows\system32\ZoneLabs\lib\zui.zip.dll
c:\windows\system32\ZoneLabs\lib\zvpn.zip.dll
c:\windows\system32\ZoneLabs\qrbase.dll
c:\windows\system32\ZoneLabs\scheduler.dll
c:\windows\system32\ZoneLabs\ssleay32.dll
c:\windows\system32\ZoneLabs\updating.dll
c:\windows\system32\ZoneLabs\updclient.exe
c:\windows\system32\ZoneLabs\vsdb.dll
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ZoneLabs\vsruledb.dll
c:\windows\system32\ZoneLabs\vsvault.dll
c:\windows\system32\ZoneLabs\ZLCommDB.xml
c:\windows\system32\ZoneLabs\zlparser.dll
c:\windows\system32\ZoneLabs\zlquarantine.dll
c:\windows\system32\ZoneLabs\zlupdate.dll
c:\windows\system32\ZoneLabs\ZoneAlarm.xml
c:\windows\system32\zpeng25.dll
c:\windows\winstart.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMEVTMGR
-------\Service_tmevtmgr

((((((((((((((((((((((((( Files Created from 2009-05-03 to 2009-06-03 )))))))))))))))))))))))))))))))
.

2009-06-02 04:31 . 2009-06-02 04:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 04:30 . 2009-06-02 04:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 03:34 . 2009-06-02 03:34 -------- d-----w- c:\program files\Event Log Explorer
2009-05-27 06:16 . 2009-05-27 06:16 -------- d-----w- c:\program files\eBay
2009-05-23 09:32 . 2009-05-23 22:11 -------- d-----w- c:\windows\tracing
2009-05-20 06:34 . 2009-05-20 06:35 -------- d-----w- c:\program files\Debugging Tools for Windows (x86)
2009-05-16 02:13 . 2008-12-14 16:20 23344 ----a-w- c:\windows\system32\drivers\pnpcap.sys
2009-05-15 09:10 . 2009-05-15 09:10 -------- d-----w- c:\documents and settings\Mary Garcia\Local Settings\Application Data\nmmicrocore{DB9CF5D7-17C7-48c7-99A5-06E82D0A0252}
2009-05-14 08:56 . 2009-05-14 08:56 -------- d-----w- c:\program files\WebEx
2009-05-14 02:57 . 2009-05-14 02:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-05-13 18:47 . 2004-08-01 01:35 1654784 ----a-w- c:\windows\system32\W29MLRES.dll
2009-05-13 18:33 . 2009-05-16 02:13 -------- d-----w- c:\program files\Pure Networks
2009-05-12 19:48 . 2009-05-12 19:48 -------- dc----w- c:\documents and settings\NetworkService.NT AUTHORITY.001\Application Data\Intel
2009-05-12 19:48 . 2009-05-12 19:48 -------- dc----w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- dc----w- c:\documents and settings\Administrator\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-05-12 19:46 . 2009-05-12 19:46 -------- dc----w- c:\documents and settings\All Users\Application Data\Intel
2009-05-09 08:28 . 2008-04-14 00:12 78848 ----a-w- c:\windows\system32\msiexec.exe
2009-05-09 08:28 . 2008-04-14 00:11 2843136 ----a-w- c:\windows\system32\msi.dll
2009-05-09 08:28 . 2008-04-14 00:11 271360 ----a-w- c:\windows\system32\msihnd.dll
2009-05-09 08:28 . 2008-04-14 00:11 15360 ----a-w- c:\windows\system32\msisip.dll
2009-05-09 08:28 . 2008-04-13 15:39 884736 ----a-w- c:\windows\system32\msimsg.dll
2009-05-09 07:03 . 2009-05-09 07:03 33808 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-05-08 20:54 . 2009-05-14 02:57 -------- d-----w- c:\program files\MSECACHE
2009-05-08 07:13 . 2009-05-12 06:50 -------- dc----w- C:\RootkitNO
2009-05-08 07:07 . 2009-05-08 07:07 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\RegRun
2009-05-08 05:08 . 2008-02-13 18:41 441856 ----a-w- c:\windows\RunGuard.exe
2009-05-08 05:08 . 2000-12-13 02:56 16384 ----a-w- c:\windows\WinBait.exe
2009-05-08 05:08 . 2009-05-08 07:31 -------- d-----w- c:\program files\Greatis
2009-05-08 00:41 . 2009-05-10 01:17 -------- d-----w- c:\program files\Enigma Software Group
2009-05-08 00:23 . 2009-05-08 00:23 -------- dc----w- c:\documents and settings\All Users\Application Data\CA
2009-05-07 06:52 . 2009-05-07 09:08 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\TweakNow RegCleaner
2009-05-07 06:31 . 2009-05-07 06:31 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-03 06:09 . 2009-02-21 05:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-03 06:07 . 2009-02-21 05:09 4048 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-03 06:07 . 2009-02-21 05:09 868384 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-03 06:07 . 2009-02-21 05:09 3071520 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-03 06:07 . 2009-02-21 05:09 25076 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-03 02:27 . 2008-12-18 06:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-03 02:19 . 2006-04-02 16:09 -------- d-----w- c:\program files\Java
2009-06-03 00:43 . 2008-09-14 00:27 -------- d-----w- c:\program files\Trend Micro
2009-06-02 03:38 . 2005-01-14 21:19 68408 -c--a-w- c:\documents and settings\Mary Garcia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 03:34 . 2009-03-19 06:29 -------- d-----w- c:\program files\Sysinternals
2009-05-27 20:31 . 2009-04-09 06:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 06:17 . 2005-01-07 14:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-27 05:23 . 2009-01-02 01:18 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\uTorrent
2009-05-26 20:20 . 2009-04-09 06:32 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-04-09 06:32 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-21 15:36 . 2009-02-21 05:17 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-21 15:36 . 2009-02-21 05:17 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-05-16 05:15 . 2007-03-06 07:07 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Vso
2009-05-14 03:22 . 2008-11-19 08:08 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Move Networks
2009-05-13 19:08 . 2006-09-18 18:03 -------- d-----w- c:\program files\Microsoft Location Finder
2009-05-13 19:08 . 2008-11-08 01:17 -------- d-----w- c:\program files\FrostWire
2009-05-13 19:08 . 2007-03-10 20:36 -------- d-----w- c:\program files\DivX
2009-05-13 19:08 . 2005-01-07 14:40 -------- d-----w- c:\program files\Apoint
2009-05-12 06:50 . 2009-03-30 20:47 -------- dc----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-05-12 06:50 . 2008-02-22 03:26 -------- dc----w- c:\documents and settings\All Users\Application Data\SyncClient
2009-05-12 06:50 . 2008-12-30 01:03 -------- d-----w- c:\program files\ConvertXtoDVD
2009-05-12 06:50 . 2008-11-08 04:21 -------- d-----w- c:\program files\DVDFab 5
2009-05-07 09:05 . 2009-04-03 23:09 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\SUPERAntiSpyware.com
2009-05-06 06:16 . 2008-12-31 10:01 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Azureus
2009-05-06 06:16 . 2008-11-08 01:18 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\FrostWire
2009-05-03 06:08 . 2009-05-15 06:23 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys.old
2009-04-22 22:45 . 2009-04-22 22:45 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-04-14 08:29 . 2009-04-14 08:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-04-14 08:14 . 2009-04-14 08:14 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Foxit
2009-04-14 08:13 . 2009-04-14 08:13 -------- d-----w- c:\program files\Foxit Software
2009-04-14 06:52 . 2009-02-03 21:44 -------- dcsh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-14 06:43 . 2009-01-30 10:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Skype
2009-04-14 06:42 . 2009-04-14 06:32 -------- dc----w- c:\documents and settings\All Users\Application Data\NOS
2009-04-12 22:08 . 2005-01-19 23:00 -------- d-----w- c:\docume~1\MARYGA~1\APPLIC~1\Apple Computer
2009-04-07 07:14 . 2009-04-07 07:14 -------- d-----w- c:\program files\MSBuild
2009-04-07 07:14 . 2009-04-07 07:14 -------- d-----w- c:\program files\Reference Assemblies
2009-04-06 21:28 . 2008-09-19 13:44 389120 ----a-w- c:\windows\system32\cmd.exe
2009-04-04 09:21 . 2007-03-06 07:07 47360 -c--a-w- c:\docume~1\MARYGA~1\APPLIC~1\pcouffin.sys
2009-04-04 09:21 . 2007-03-06 07:07 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-04 06:27 . 2005-01-07 14:51 -------- d-----w- c:\program files\Common Files\InstallShield
2009-04-02 20:03 . 2009-02-17 22:58 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-03-30 01:04 . 2009-03-30 01:04 2855 ----a-w- c:\windows\system32\WISPTIS.PIF
2009-03-24 01:34 . 2009-02-11 09:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-03-20 22:23 . 2009-03-20 22:23 49152 ----a-r- c:\windows\system32\inetwh32.dll
2009-03-20 22:23 . 2009-03-20 22:23 1044480 ----a-r- c:\windows\system32\roboex32.dll
2009-03-20 15:05 . 2009-03-20 15:05 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-03-19 21:32 . 2008-01-29 19:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 18:52 . 2008-03-20 00:29 256 -c--a-w- c:\windows\system32\pool.bin
2009-03-17 03:10 . 2009-01-21 09:09 256 ----a-w- c:\documents and settings\Mary Garcia\pool.bin
2009-03-06 14:22 . 2004-08-04 11:00 284160 ----a-w- c:\windows\system32\pdh.dll
2005-04-02 15:11 . 2005-04-02 15:11 60416 ----a-w- c:\program files\msconfig.exe
.

------- Sigcheck -------

[-] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[7] 2009-05-03 06:08 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SYSTEM32\DLLCACHE\tcpip.sys
[-] 2009-05-03 06:08 361600 4AFB3B0919649F95C1964AA1FAD27D73 c:\windows\SYSTEM32\DRIVERS\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-06-03 148888]
"AVP "= "c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-21 201992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack "= 1 (0x1)
"NoFileAssociate "= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP "= 67:UDPHCP Discovery Service

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\klbg.sys [5/9/2009 12:03 AM 33808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 pnpcap;Pure Networks Packet Capture Driver;c:\windows\SYSTEM32\DRIVERS\pnpcap.sys [5/15/2009 7:13 PM 23344]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\SYSTEM32\DRIVERS\klfltdev.sys [3/13/2008 8:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\SYSTEM32\DRIVERS\klim5.sys [3/25/2008 9:07 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [4/8/2009 11:32 PM 19096]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/8/2009 11:32 PM 194832]
S3 ATIXPGAA;ATIXPGAA;c:\dell\Drivers\R88754\ATIXPGAA.SYS [10/15/2006 11:56 AM 12032]
S3 RegGuard;RegGuard;\??\c:\windows\system32\Drivers\regguard.sys --> c:\windows\system32\Drivers\regguard.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S4 LinksysUpdater;Linksys Updater; "c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" --> c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-05-10 22:35]

2009-05-28 c:\windows\Tasks\Malwarebytes' Scheduled Update for Mary Garcia.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-09 20:20]

2009-02-01 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX3000_exe.job
- c:\windows\vVX3000.exe [2009-01-30 21:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
TCP: {58571CEB-F283-493C-92C3-4D59C728B04C} = 68.190.192.35,66.214.48.27
DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 23:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\ActiveSync]
"Name "= "ActiveSync "
"DisplayName "= "Microsoft ActiveSync "
"Param1 "= "ActiveSync "
"Type "= "wellknown "
"Order "=dword:00000000
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\IESettings]
"Name "= "IESettings "
"Type "= "IESettings "
"Order "=dword:00000003
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\MediaFiles]
"Name "= "MediaFiles "
"Type "= "MediaFiles "
"Order "=dword:00000002
"State "=dword:0000000b

[HKEY_USERS\S-1-5-21-2741035504-3325466855-470738218-1007\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k* "!\CriticalAppInstall\NPW]
"Name "= "NPW "
"Param1 "= "NPW "
"Type "= "wellknown "
"Order "=dword:00000001
"State "=dword:0000000b
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'explorer.exe'(1620)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-03 23:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-03 06:14
ComboFix2.txt 2009-06-03 04:46

Pre-Run: 6,676,111,360 bytes free
Post-Run: 6,680,948,736 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=6 Sets=1,2,3,4,5,6
298 --- E O F --- 2009-05-08 08:18

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:16 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - (no file)
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe "
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{58571CEB-F283-493C-92C3-4D59C728B04C}: NameServer = 68.190.192.35,66.214.48.27
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--
End of file - 3245 bytes

Log in or Sign up

Solved Redirects, constantly kicked off/on internet, and router hacked?

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Redirects, constantly kicked off/on internet, and router hacked?

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

broni Moderator Malware Analyst

ohsogirly Inactive Thread Starter

Share This Page

Useful Searches