Articles

Search engine redirect virus

June 21, 2010 at 14:21:23
Specs: Windows XP, Pentium E5200, 4 GB

I've seen other topics concerning this issue, with Google and other search engines being redirected to whattoseek.net among others. While I can't locate the cause, I have found what it was exploiting in my case, and it was a Java-related addon:

Java Quick Starter

That said, I'd still like to get the virus out of my system. I use Microsoft Security Essentials as my baseline with the occasional backup scan from MalwareBytes, and neither can locate it. MalwareBytes logs always seem to be the first request, so here goes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4222

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/21/2010 4:57:33 PM
mbam-log-2010-06-21 (16-57-33).txt

Scan type: Quick scan
Objects scanned: 129055
Time elapsed: 6 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


See More: Search engine redirect virus

Report •


#1
June 22, 2010 at 03:15:41


Follow the instruction on the link below, it's step by step instructions how to clean your computer system from Google Redirect Virus using Antispyware tool. It's very effective and fast


Easy steps removal using free scanner:
http://www.pcthreat.com/parasitebyi...


Report •

#2
June 22, 2010 at 19:14:14

It's not really step by step anything. I assume that it wants me to use SpyHunter to find the file locations, then manually delete them? That's what I did, anyway, but it only spotted various cookies that may or may not be tracking me down, and I just killed them all off.

Didn't fix the problem, though. I still get redirects, and now I have to replace all my cookies.


Report •

#3
June 22, 2010 at 20:52:43

Hi there,

Please try disabling Javascript (as this is what the Google Redirect Virus uses as an exploit) in Firefox by going to Tools > Options > Content and look for the Javascript option, for Internet Explorer, go to Tools > Internet Options > Security > Custom Level, and look for the Scripting option, and click "Disable", after you've done both browsers (if you have both on your system that is), try running TDSS Killer found here: http://support.kaspersky.com/viruse...

Another option to try is changing your DNS Servers, you can do this by following this tutorial:

To configure TCP/IP, follow these steps:

1. Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.
2. Right-click the network connection that you want to configure, and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click Internet Protocol (TCP/IP), and then click Properties.
4. If you want to obtain DNS server addresses from a DHCP server, click Obtain DNS server address automatically.
5. If you want to manually configure DNS server addresses, click Use the following DNS server addresses, and then type the preferred DNS server and alternate DNS server IP addresses in the Preferred DNS server and Alternate DNS server boxes.

For Preferred DNS server type in without the quotes "208.67.222.222" , and for Alternate DNS server type in without the quotes "208.67.220.220".

Please let me know if this helps!

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

Related Solutions

#4
June 22, 2010 at 23:41:05

Disabling Javascript (and removing Java, which I also did with the intention of re-installing) does not prevent the links from being hijacked, but it DOES prevent the redirect from going any further than the initial whattoseek.net (I haven't spotted the others yet) and has cut way back on the number of redirects.

TDSS Killer was run, but spotted nothing.

Changing DNS settings seems to have obliterated the redirects, but due to how much less common they were after gutting Java and turning off Javascript, it's kind of hard to tell whether this is just random chance. Turning off Javascript disables more than a few things, though, so if the DNS alone should fix the symptoms, I'd rather just use it.

I make fairly heavy use of Google, so if the problem is going to reappear, it'll do so pretty quickly.

Edit: having Javascript enabled with the DNS change remain does allow a redirect..


Report •

#5
June 23, 2010 at 02:46:47

Search engine redirect virus is a browser hijacker (also known as Google redirect virus) that leads your search query results and web links to unwanted websites, to fix this problem, install UNHACK ME tool or MALWARE BYTES or follow the manual fix instructions within this link
http://darfuns.com/remove-google-se...

TechVTS - Virus removal techniques


Report •

#6
June 23, 2010 at 03:39:07

Your Temp folder contains infections..

Please Download ATF-Cleaner (Windows XP, 2K, 2003 & Vista ONLY)
• You can put ATF-Cleaner on your Desktop for easy access.
RUN ATF-Cleaner.exe.

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK

Reboot
Download Ccleaner, Install it, Open it...
Under the 'Cleaner' Section select all in the 'Windows' And 'Applications' Tab, Then click on 'Analyze' And then 'Run Cleaner'...
Do The Same In The 'Registry' Tab, i.e. 'Scan For Issues' and 'Fix Selected Issues', It will ask you to make a backup, DO IT...Then Click on 'Fix All'...Now Reboot The PC

Kristain Hayes


Report •

#7
June 23, 2010 at 14:09:17

old boy, I had already used MalwareBytes (there's a log in the first post) and Unhack Me located nothing. The link provided goes to a different, but similar, virus that redirects to different web sites.

Kristain, I executed both of those procedures, and while Firefox seems to be running a bit faster, it still has issues with redirects. They aren't going to the end target with Javascript disabled, but they do redirect to seek.ind.in and whattoseek.net though the other redirect sites haven't shown up yet.


Report •

#8
June 23, 2010 at 19:32:19

Try using Gmer : http://gmer.net/download.php

Before scanning with Gmer, please do the following in this order...

1) Disconnect from the internet and close ALL running programs.

2) Disable any Anti-Virus/Anti-Spyware software currently running to avoid conflicts.

3) Double click on "Gmer.exe", and allow it's .Sys driver to load.

4) Gmer will then open and run a quick scan. please DO NOT USE THE COMPUTER WHILE THE SCAN IS IN PROGRESS.

5) If you receive a warning about Rootkit Activity on your system and are asked to do a full scan click No.

6) Click the Scan button, and if you see a Rootkit Warning window click Ok (it should be the only option in the dialog box).

7) When the scan is finished, please click Save, and save the log to your desktop as Gmer.log

8) Click the Copy button and paste the log into your next reply.

9) Re-enable any Anti-Virus/Anti-Spyware software and any other security software you've disabled (Firewall).

Notes: If Gmer results in a BSOD or crashes please uncheck<b/> "Devices" on the right side of the program before scanning. Also, if you encounter problems while scanning in normal mode, please try scanning in Safe Mode.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#9
June 23, 2010 at 22:30:48

GMER 1.0.15.15281 - http://www.gmer.net
Autostart scan 2010-06-24 01:24:08
Windows 5.1.2600 Service Pack 3


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = E:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
AtiExtEvent@DLLName = Ati2evxx.dll
dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ANIWZCSdService@ = E:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart@ = E:\WINDOWS\system32\ati2sgag.exe
MsMpSvc@ = "e:\Program Files\Microsoft Security Essentials\MsMpEng.exe"
SpyHunter 4 Service@ = E:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE
UMWdf@ = E:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@D-Link AirPlus G DWL-G510E:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe = E:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
@ANIWZCS2ServiceE:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe = E:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
@RTHDCPLRTHDCPL.EXE = RTHDCPL.EXE
@AlcmtrALCMTR.EXE = ALCMTR.EXE
@StartCCC"E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun = "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
@IMJPMIG8.1"E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 = "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
@IMEKRMIG6.1E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE = E:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
@MSPY2002E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC = E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
@PHIME2002ASyncE:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC = E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AE:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName = E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@QuickTime Task"E:\Program Files\QuickTime\QTTask.exe" -atboottime = "E:\Program Files\QuickTime\QTTask.exe" -atboottime
@MSSE"e:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey = "e:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
@Adobe Reader Speed Launcher"E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" = "E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
@Adobe ARM"E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" = "E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
@SpyHunter Security SuiteE:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe = E:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx >>>
@Flags128 /*file not found*/ = 128 /*file not found*/
@TitleUnHackMe Rootkit Check /*file not found*/ = UnHackMe Rootkit Check /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = E:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Classes\.hta@ = "%1" %*

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/E:\Program Files\7-Zip\7-zip.dll = E:\Program Files\7-Zip\7-zip.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/E:\Program Files\WinRAR\rarext.dll = E:\Program Files\WinRAR\rarext.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll = E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/e:\WINDOWS\system32\dfshim.dll = e:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/e:\WINDOWS\system32\dfshim.dll = e:\WINDOWS\system32\dfshim.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/E:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = E:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/E:\Program Files\Microsoft Office\Office12\msohevi.dll = E:\Program Files\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{EF7605D6-C512-4F90-827B-5DE32DAB94F7} /*CDISPSHELL Extension*/E:\PROGRA~1\CDISPL~1\CDISPS~1.DLL = E:\PROGRA~1\CDISPL~1\CDISPS~1.DLL
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/(null) =
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/E:\WINDOWS\system32\ieframe.dll = E:\WINDOWS\system32\ieframe.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = E:\Program Files\7-Zip\7-zip.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = E:\Program Files\MagicISO\misosh.dll
MSSE@{0365FE2C-F183-4091-AC82-BFC39FB75C49} = e:\PROGRA~1\MICROS~4\shellext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = E:\Program Files\7-Zip\7-zip.dll
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = E:\Program Files\MagicISO\misosh.dll
MSSE@{0365FE2C-F183-4091-AC82-BFC39FB75C49} = e:\PROGRA~1\MICROS~4\shellext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
MagicISO@{DB85C504-C730-49DD-BEC1-7B39C6103B7A} = E:\Program Files\MagicISO\misosh.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = E:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = E:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{18DF081C-E8AD-4283-A596-FA578C2EBDC3}E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll = E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
@{bf00e119-21a3-4fd1-b178-3b8537e75c92}E:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll = E:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = E:\WINDOWS\System32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?Lin...
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?Lin...
@Local PageE:\WINDOWS\system32\blank.htm = E:\WINDOWS\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageE:\WINDOWS\system32\blank.htm = E:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = E:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = E:\WINDOWS\system32\msvidctl.dll
its@CLSID = E:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = E:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = E:\WINDOWS\system32\itss.dll
tv@CLSID = E:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = E:\WINDOWS\system32\wiascr.dll

E:\Documents and Settings\<my name>\Start Menu\Programs\Startup >>>
CurseClientStartup.ccip = CurseClientStartup.ccip
MagicDisc.lnk = MagicDisc.lnk

---- EOF - GMER 1.0.15 ----


Report •

#10
June 24, 2010 at 13:19:09

Try doing a full/complete scan in Safe Mode with Super Anti-Spyware, and then post a log, please.

Link to SAS: http://download.cnet.com/SuperAntiS...

How to get a log from SAS: http://forums.majorgeeks.com/showth...

Also, I suggest getting rid of that Mega Upload Manager for security/safety reasons, but if you wish to keep it, that is your choice.

Helpful tips before getting started: http://www.computing.net/howtos/sho...


Report •

#11
June 25, 2010 at 07:19:15

I noticed you haven't tried
Trojan Remover
http://www.simplysup.com/tremover/d...
and
Hitman Pro
http://www.surfright.nl/en/hitmanpro
and if they don't work you can try combofix
follow the on-site instructions.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#12
June 26, 2010 at 18:35:39

xyranx:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2010 at 08:17 PM

Application Version : 4.39.1002

Core Rules Database Version : 5057
Trace Rules Database Version: 2869

Scan type : Complete Scan
Total Scan Time : 02:18:07

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 5403
Registry threats detected : 0
File items scanned : 33765
File threats detected : 64

Adware.Tracking Cookie
E:\Documents and Settings\<my name>\Cookies\<my name>@questionmarket[2].txt
E:\Documents and Settings\<my name>\Cookies\<my name>@atdmt[2].txt
E:\Documents and Settings\<my name>\Cookies\<my name>@doubleclick[1].txt
cdn4.specificclick.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
ds.serving-sys.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
m1.2mdn.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
m3.2mdn.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
media.easy2.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
media.mtvnservices.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
media.scanscout.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
media1.break.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
motifcdn2.doubleclick.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
naiadsystems.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
stmedia.startribune.com [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
udn.specificclick.net [ C:\Documents and Settings\Alternator\Application Data\Macromedia\Flash Player\#SharedObjects\K8PE8RV6 ]
C:\Documents and Settings\Alternator\Cookies\alternator@zedo[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@ad.yieldmanager[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@smartadserver[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@specificmedia[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@accounts[3].txt
C:\Documents and Settings\Alternator\Cookies\alternator@cgm.adbureau[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@imagevenue.advertserve[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@serving-sys[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@adbureau[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@adlegend[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@tacoda[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@c7.zedo[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@at.atwola[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@revsci[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@bs.serving-sys[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@tribalfusion[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@devart.adbureau[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@a1.interclick[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@specificclick[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@adbrite[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@questionmarket[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@atdmt[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@advertising[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@interclick[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@banner_js[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@insightexpressai[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@statcounter[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@ads.pointroll[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@windowsmedia[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@atwola[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@accounts[2].txt
C:\Documents and Settings\Alternator\Cookies\alternator@doubleclick[1].txt
C:\Documents and Settings\Alternator\Cookies\alternator@msnportal.112.2o7[1].txt
convoad.technoratimedia.com [ E:\Documents and Settings\<my name>\Application Data\Macromedia\Flash Player\#SharedObjects\LLDJHQY7 ]

Adware.Flash Tracking Cookie
E:\Documents and Settings\<my name>\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\LLDJHQY7\CONVOAD.TECHNORATIMEDIA.COM

Trojan.Agent/CDesc[Generic]
C:\DOCUMENTS AND SETTINGS\ALTERNATOR\MY DOCUMENTS\PSX EMULATION\EPSXE\PLUGINS\SPUIORI.DLL
C:\DOCUMENTS AND SETTINGS\ALTERNATOR\MY DOCUMENTS\PSX EMULATION\EPSXE\PLUGINS\SPUIORIL.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9161BC66-F67C-419D-BE95-2F7E3A41FC63}\RP49\A0008539.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9161BC66-F67C-419D-BE95-2F7E3A41FC63}\RP49\A0008540.DLL
E:\DOCUMENTS AND SETTINGS\<my name>\MY DOCUMENTS\PLAYSTATION EMULATION\EPSXE\PLUGINS\SPUIORI.DLL
E:\DOCUMENTS AND SETTINGS\<my name>\MY DOCUMENTS\PLAYSTATION EMULATION\EPSXE\PLUGINS\SPUIORIL.DLL

Trojan.Agent/Gen-Krpytik
E:\PROGRAM FILES\3DO\MIGHT AND MAGIC VIII\MM8.EXE
E:\WINDOWS\Prefetch\MM8.EXE-35FE9B25.pf


Report •

#13
June 26, 2010 at 22:10:19

Are you still being redirected?.. if so, please run a scan with RootRepeal found here:
http://ad13.geekstogo.com/RootRepea... and post a log. Please follow the instructions in this thread before downloading RootRepeal: http://www.bleepingcomputer.com/for... after running/posting a log of RootRepeal please do a scan with Combo Fix, and post a log, and I shall look over it tomorrow. Follow the instructions very carefully.

http://www.bleepingcomputer.com/com...

Another alternative if you're not comfortable using Combo Fix by yourself, as it is a very powerful program, is to post a HijackThis! log, and I too will look over it tomorrow: http://download.cnet.com/Trend-Micr...

You can also try the Kaspersky Online Scanner tool, which won't delete the infection(s), BUT it will show where they could potential be.. You can download this program from here, and please post a log as well if you run this: http://download.cnet.com/Kaspersky-...

Helpful tips before getting started: http://www.computing.net/howtos/sho...</


Report •

#14
June 27, 2010 at 22:01:45

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/28 00:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: E:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAC4A4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5B6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP9772
Image Path: \Driver\PCI_PNP9772
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: E:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA89E5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spqv.sys
Image Path: spqv.sys
Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.exe.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.exe.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.ClientService.Models.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.ClientService.Models.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.AddOns.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.AddOns.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.MurmurHash.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.MurmurHash.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\CurseClient.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Enumerations.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Enumerations.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\GammaJul.LgLcd.Wpf.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Microsoft.Windows.Shell.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Microsoft.Windows.Shell.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Win32Interop.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Win32Interop.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Win32Interop.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Win32Interop.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\WPF.Themes.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\WPF.Themes.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Common.XmlSerializers.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Common.XmlSerializers.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.DownloadSecurity.Tokens.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Localization.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\GammaJul.LgLcd.Wpf.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Xceed.Wpf.DataGrid.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.DownloadSecurity.Tokens.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Common.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Common.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Localization.resources.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Controls.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Controls.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Logitech.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Logitech.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Curse.CurseClient.Localization.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\GammaJul.LgLcd.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\GammaJul.LgLcd.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\ICSharpCode.SharpZipLib.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\ICSharpCode.SharpZipLib.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Interop.NetFwTypeLib.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Interop.NetFwTypeLib.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Xceed.Wpf.DataGrid.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Xceed.Wpf.Controls.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\Xceed.Wpf.Controls.manifest
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\zlib.net.cdf-ms
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Thomas Finegan\Local Settings\Apps\2.0\0HCYW2NT.ER9\8H0KHGLE.EE5\manifests\zlib.net.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spqv.sys" at address 0xb9eab0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spqv.sys" at address 0xb9ec8ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spqv.sys" at address 0xb9ec9030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spqv.sys" at address 0xb9eab0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spqv.sys" at address 0xb9ec9108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spqv.sys" at address 0xb9ec8f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spqv.sys" at address 0xb9ec919a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address 0xac63a620

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89de31f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x898ef500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_CREATE]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_CLOSE]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_READ]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_WRITE]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_CLEANUP]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Udfsࠅమ捐楓, IRP_MJ_PNP]
Process: System Address: 0x898e4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89c4f500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x89e531f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89c48500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89de51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8991a500 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_CREATE]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_CLOSE]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_POWER]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: a3uvdmoxࠅఆ捐楓, IRP_MJ_PNP]
Process: System Address: 0x89b4d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89c47500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89a57500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_CREATE]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_CLOSE]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_READ]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_CLEANUP]
Process: System Address: 0x89aa8500 Size: 121

Object: Hidden Code [Driver: Cdfs؅瑎獆؁అ瑎獆䡘, IRP_MJ_PNP]
Process: System Address: 0x89aa8500 Size: 121

==EOF==


Report •

#15
June 27, 2010 at 22:35:23

ComboFix 10-06-27.03 - <my name> 06/28/2010 1:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1540 [GMT -4:00]
Running from: e:\documents and settings\<my name>\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\documents and settings\<my name>\Local Settings\Tempals_inst.exe
e:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-27 20:26 . 2010-06-27 20:26 1691 ----a-w- e:\documents and settings\<my name>\Application Data\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-06-26 21:56 . 2010-06-26 21:56 63488 ----a-w- e:\documents and settings\<my name>\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-26 21:56 . 2010-06-26 21:56 52224 ----a-w- e:\documents and settings\<my name>\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-26 21:56 . 2010-06-26 21:56 117760 ----a-w- e:\documents and settings\<my name>\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-26 21:56 . 2010-06-26 21:56 -------- d-----w- e:\documents and settings\<my name>\Application Data\SUPERAntiSpyware.com
2010-06-26 21:56 . 2010-06-26 21:56 -------- d-----w- e:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-26 21:56 . 2010-06-26 21:56 -------- d-----w- e:\program files\SUPERAntiSpyware
2010-06-23 20:47 . 2010-06-23 20:47 -------- d-----w- e:\program files\CCleaner
2010-06-23 20:22 . 2010-06-23 20:22 2 --shatr- e:\windows\winstart.bat
2010-06-23 20:21 . 2010-06-23 20:34 -------- d-----w- e:\program files\UnHackMe
2010-06-23 00:38 . 2010-06-23 00:38 110080 ----a-r- e:\documents and settings\<my name>\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconF7A21AF7.exe
2010-06-23 00:38 . 2010-06-23 00:38 110080 ----a-r- e:\documents and settings\<my name>\Application Data\Microsoft\Installer\{4FC9DA9D-F608-454E-8191-D7EFFDCC5726}\IconD7F16134.exe
2010-06-23 00:37 . 2010-06-23 00:38 -------- d-----w- E:\sh4ldr
2010-06-23 00:37 . 2010-06-23 00:37 -------- d-----w- e:\program files\Enigma Software Group
2010-06-23 00:34 . 2010-06-23 00:38 -------- d-----w- e:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-20 18:03 . 2009-04-30 09:16 185344 ----a-w- e:\documents and settings\<my name>\Application Data\CosFeti\PCGW32.DLL
2010-06-20 18:03 . 2010-06-20 18:03 695578 ----a-w- e:\documents and settings\<my name>\Application Data\CosFeti\unins000.exe
2010-06-20 18:03 . 2009-07-03 07:26 729088 ----a-w- e:\documents and settings\<my name>\Application Data\CosFeti\CosFeti.exe
2010-06-20 18:03 . 2010-06-20 18:10 -------- d-----w- e:\documents and settings\<my name>\Application Data\CosFeti
2010-06-19 01:46 . 2010-06-19 01:46 -------- d-----w- E:\VundoFix Backups
2010-06-16 23:05 . 2010-06-16 23:05 -------- d-----w- e:\documents and settings\<my name>\Application Data\Malwarebytes
2010-06-16 23:05 . 2010-04-29 19:39 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-06-16 23:05 . 2010-06-16 23:05 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-16 23:05 . 2010-04-29 19:39 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-06-16 23:05 . 2010-06-16 23:05 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-06-09 00:41 . 2010-05-06 10:41 743424 -c----w- e:\windows\system32\dllcache\iedvtool.dll
2010-06-04 13:13 . 2010-06-04 13:13 -------- d-----w- e:\documents and settings\<my name>\Application Data\LolClient
2010-06-02 09:22 . 2008-07-31 14:41 68616 ----a-w- e:\windows\system32\XAPOFX1_1.dll
2010-06-02 09:22 . 2008-07-31 14:40 509448 ----a-w- e:\windows\system32\XAudio2_2.dll
2010-06-02 09:22 . 2008-07-12 12:18 467984 ----a-w- e:\windows\system32\d3dx10_39.dll
2010-06-02 09:22 . 2008-07-12 12:18 1493528 ----a-w- e:\windows\system32\D3DCompiler_39.dll
2010-06-02 09:22 . 2008-07-12 12:18 3851784 ----a-w- e:\windows\system32\D3DX9_39.dll
2010-06-02 09:22 . 2010-06-02 09:19 38784 ----a-w- e:\documents and settings\<my name>\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-02 09:19 . 2010-06-02 09:19 -------- d-----w- e:\program files\Common Files\Adobe AIR
2010-06-02 09:16 . 2010-06-02 09:16 -------- d-----w- E:\Riot Games
2010-06-02 06:49 . 2010-06-02 06:49 -------- d-----w- e:\program files\Common Files\Macrovision Shared
2010-06-02 06:49 . 2010-06-27 00:35 -------- d-----w- e:\documents and settings\All Users\Application Data\Rosetta Stone
2010-06-02 06:49 . 2010-06-02 06:49 -------- d-----w- e:\program files\Rosetta Stone
2010-06-02 05:32 . 2010-06-02 05:33 -------- d-----w- e:\program files\League of Legends
2010-06-02 05:31 . 2010-06-03 18:35 -------- d-----w- e:\documents and settings\<my name>\Local Settings\Application Data\PMB Files
2010-06-02 05:31 . 2010-06-02 05:33 -------- d-----w- e:\documents and settings\All Users\Application Data\PMB Files
2010-06-02 05:30 . 2010-06-02 05:30 -------- d-----w- e:\program files\Pando Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 04:19 . 2009-06-28 01:22 -------- d-----w- e:\documents and settings\<my name>\Application Data\.purple
2010-06-27 20:26 . 2009-09-10 16:12 -------- d-----w- e:\documents and settings\<my name>\Application Data\BitTorrent
2010-06-27 09:06 . 2009-07-03 18:22 -------- d-----w- e:\documents and settings\<my name>\Application Data\gtk-2.0
2010-06-27 00:58 . 2009-06-28 17:55 -------- d-----w- e:\program files\3DO
2010-06-23 00:49 . 2009-06-28 09:00 -------- d-----w- e:\program files\World of Warcraft
2010-06-23 00:34 . 2009-07-01 15:37 -------- d-----w- e:\program files\Common Files\Wise Installation Wizard
2010-06-23 00:07 . 2009-08-19 23:22 -------- d-----w- e:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-06-12 19:16 . 2009-08-05 06:18 -------- d-----w- e:\documents and settings\<my name>\Application Data\vlc
2010-06-10 22:29 . 2009-07-07 10:43 -------- d-----w- e:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-02 09:22 . 2009-08-09 12:11 -------- d-----w- e:\documents and settings\All Users\Application Data\FLEXnet
2010-06-02 09:16 . 2009-06-27 18:49 -------- d--h--w- e:\program files\InstallShield Installation Information
2010-06-02 08:47 . 2009-10-21 20:27 -------- d-----w- e:\program files\Warcraft III
2010-06-02 07:24 . 2009-07-29 14:46 -------- d-----w- e:\program files\Battle for Wesnoth 1.6.4
2010-05-28 07:12 . 2009-11-28 18:44 -------- d-----w- e:\program files\Wizards of the Coast
2010-05-27 10:05 . 2009-07-17 23:28 -------- d-----w- e:\program files\Illusion
2010-05-24 17:18 . 2010-05-24 17:18 503808 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33cf6f49-n\msvcp71.dll
2010-05-24 17:18 . 2010-05-24 17:18 499712 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33cf6f49-n\jmc.dll
2010-05-24 17:18 . 2010-05-24 17:18 348160 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-33cf6f49-n\msvcr71.dll
2010-05-24 17:16 . 2010-05-24 17:16 61440 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-71246d23-n\decora-sse.dll
2010-05-24 17:16 . 2010-05-24 17:16 12800 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-71246d23-n\decora-d3d.dll
2010-05-21 18:14 . 2009-12-26 02:43 221568 ------w- e:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2009-06-09 19:33 916480 ----a-w- e:\windows\system32\wininet.dll
2010-05-06 03:24 . 2010-05-06 03:24 -------- d-----w- e:\documents and settings\<my name>\Application Data\Megaupload
2010-05-06 03:23 . 2010-05-06 03:23 -------- d-----w- e:\program files\Megaupload
2010-05-02 16:04 . 2009-06-09 19:33 1860352 ----a-w- e:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 12:00 285696 ----a-w- e:\windows\system32\atmfd.dll
2010-04-12 21:29 . 2010-04-17 19:30 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-04-07 18:49 . 2010-04-07 18:49 503808 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7196fc37-n\msvcp71.dll
2010-04-07 18:49 . 2010-04-07 18:49 499712 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7196fc37-n\jmc.dll
2010-04-07 18:49 . 2010-04-07 18:49 348160 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7196fc37-n\msvcr71.dll
2010-04-07 18:49 . 2010-04-07 18:49 61440 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7622ffe4-n\decora-sse.dll
2010-04-07 18:49 . 2010-04-07 18:49 12800 ----a-w- e:\documents and settings\<my name>\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7622ffe4-n\decora-d3d.dll
2010-03-31 04:16 . 2010-03-31 04:16 99176 ----a-w- e:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10 . 2010-03-31 04:10 295264 ----a-w- e:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="e:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-06-07 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G DWL-G510"="e:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"ANIWZCS2Service"="e:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-17 17508864]
"StartCCC"="e:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-05-20 98304]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="e:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"MSPY2002"="e:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="e:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"MSSE"="e:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SpyHunter Security Suite"="e:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-05-18 3021720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="e:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

e:\documents and settings\<my name>\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-6-23 0]
MagicDisc.lnk - e:\program files\MagicDisc\MagicDisc.exe [2009-6-28 576000]
Might and Magic VIII.lnk - e:\program files\3DO\Might and Magic VIII\Register\Remind32.exe [2010-6-26 67584]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\World of Warcraft\\Launcher.exe"=
"e:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=
"e:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"e:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"e:\\Program Files\\Curse\\CurseClient.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"e:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"e:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"e:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"e:\\Program Files\\BitTorrent\\bittorrent.exe"=
"e:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=
"e:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=
"e:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"e:\\Program Files\\Pidgin\\pidgin.exe"=
"e:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"e:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"e:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"e:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"e:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"e:\\Documents and Settings\\<my name>\\Local Settings\\Apps\\2.0\\0HCYW2NT.ER9\\8H0KHGLE.EE5\\curs..tion_eee711038731a406_0004.0000_172b37d8269e5e48\\CurseClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57621:TCP"= 57621:TCP:Pando Media Booster
"57621:UDP"= 57621:UDP:Pando Media Booster
"<NO NAME>"=
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"6935:TCP"= 6935:TCP:League of Legends Launcher
"6935:UDP"= 6935:UDP:League of Legends Launcher
"6885:TCP"= 6885:TCP:League of Legends Launcher
"6885:UDP"= 6885:UDP:League of Legends Launcher
"6989:TCP"= 6989:TCP:League of Legends Launcher
"6989:UDP"= 6989:UDP:League of Legends Launcher

R1 cbaf;cbaf;\??\e:\windows\system32\cbaf.sys --> e:\windows\system32\cbaf.sys [?]
R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 SpyHunter 4 Service;SpyHunter 4 Service;e:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [5/18/2010 5:06 PM 327064]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);e:\windows\system32\drivers\A3AB.sys [6/27/2009 2:49 PM 547744]
S3 Ambfilt;Ambfilt;e:\windows\system32\drivers\Ambfilt.sys [6/29/2009 6:48 AM 1684736]
S4 sptd;sptd;e:\windows\system32\drivers\sptd.sys [6/28/2009 2:40 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-06-28 e:\windows\Tasks\MP Scheduled Scan.job
- e:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

2010-06-28 e:\windows\Tasks\OGALogon.job
- e:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Download Link Using Mega Manager... - e:\program files\Megaupload\Mega Manager\mm_file.htm
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {9AEEFC31-A029-4AEF-837D-A7F8D3D1344E} = 208.67.222.222,208.67.220.220
FF - ProfilePath - e:\documents and settings\<my name>\Application Data\Mozilla\Firefox\Profiles\ieoak8vj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
e:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
e:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-28 01:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
e:\program files\SUPERAntiSpyware\SASWINLO.DLL
e:\windows\system32\WININET.dll
e:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-06-28 01:21:50
ComboFix-quarantined-files.txt 2010-06-28 05:21

Pre-Run: 401,480,257,536 bytes free
Post-Run: 401,588,473,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D42BEB3A677EBFFE4160B6CF741BE1B9


Report •

#16
June 27, 2010 at 22:42:06

One of those last two might have done the trick, though the logs are still posted as requested. A quick attempt to find a Google link to redirect has failed. I'll edit this message if that changes.

Report •

#17
June 28, 2010 at 09:07:07

Glad I could help!, and please do if it starts again. Looking over your logs, you look clean, but I did find "Viewpoint Media" which, I would get rid of them with Unlocker found here: http://ccollomb.free.fr/unlocker/ It's not spyware, but you don't need it on your system as it's similar to Flash and etc for viewing rich media. But, if it's not causing you any problems you can keep it.

Helpful tips before getting started:http://www.computing.net/howtos/sho...</


Report •

#18
July 1, 2010 at 06:20:48

System still seems clean after a few days use, so thanks!

If I get a repeat infection, should I go right to RootRepeat and ComboFix? I know those are using heavy artillery and thus, not the first things to try normally, but in this case it would seem the right course.


Report •

#19
July 1, 2010 at 07:00:34

I'm glad combofix worked for you ;-)

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •


Ask Question