Google search results being redirected - Hijack log posted, Thanks!

Question

kkevinchou 0 Newbie Poster

13 Years Ago

I'm thinking its a malware problem, could someone help guide me through the fixing process? Thanks!

Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:47 AM, on 5/3/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Program Files D\Steam\Steam.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Kevin\Desktop\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninjavideo.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.114la.com/index.htm
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files D\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Steam] "D:\Program Files D\Steam\Steam.exe" -silent
O4 - Startup: winmpa.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7704 bytes

windows-virus

3 Contributors
7 Replies
263 Views
2 Days Discussion Span
Latest Post 13 Years Ago Latest Post by crunchie

All 7 Replies

crunchie 990 Most Valuable Poster

13 Years Ago

Hi and welcome to the Daniweb forums :).

==========

Please follow the instructions found here; http://www.daniweb.com/forums/thread134865.html

johnn2009 0 Newbie Poster

13 Years Ago

Hi,

here is a guideto remove TDL rootkit from kaspersky.

http://support.kaspersky.com/viruses/solutions?qid=208280684

you could download TDSSKiller.exe to fix google redirected problem.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

kkevinchou 0 Newbie Poster · Answer 1 · 2010-05-05T09:41:38+00:00

Hi John and thanks for the reply,

I ran the tool provided in the link and it's telling me the infected file is "C:\WINDOWS\system32\DRIVERS\nvata.sys", however, it fails when it tries to "cure" the file. Could I get some help?

Here's the log:

23:31:54:859 0924 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:31:54:859 0924 ================================================================================
23:31:54:859 0924 SystemInfo:

23:31:54:859 0924 OS Version: 5.1.2600 ServicePack: 2.0
23:31:54:859 0924 Product type: Workstation
23:31:54:859 0924 ComputerName: KEVINPC
23:31:54:859 0924 UserName: Kevin
23:31:54:859 0924 Windows directory: C:\WINDOWS
23:31:54:859 0924 Processor architecture: Intel x86
23:31:54:859 0924 Number of processors: 2
23:31:54:859 0924 Page size: 0x1000
23:31:54:859 0924 Boot type: Normal boot
23:31:54:859 0924 ================================================================================
23:31:54:890 0924 UnloadDriverW: NtUnloadDriver error 2
23:31:54:890 0924 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:31:54:953 0924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:31:54:953 0924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:54:953 0924 wfopen_ex: Trying to KLMD file open
23:31:54:953 0924 wfopen_ex: File opened ok (Flags 2)
23:31:54:953 0924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:31:54:953 0924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:54:953 0924 wfopen_ex: Trying to KLMD file open
23:31:54:953 0924 wfopen_ex: File opened ok (Flags 2)
23:31:54:953 0924 Initialize success
23:31:54:953 0924
23:31:54:953 0924 Scanning Services ...
23:31:56:312 0924 Raw services enum returned 328 services
23:31:56:312 0924
23:31:56:312 0924 Scanning Kernel memory ...
23:31:56:312 0924 Devices to scan: 3
23:31:56:312 0924
23:31:56:312 0924 Driver Name: Disk
23:31:56:312 0924 IRP_MJ_CREATE : BA8EEC30
23:31:56:312 0924 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:31:56:312 0924 IRP_MJ_CLOSE : BA8EEC30
23:31:56:312 0924 IRP_MJ_READ : BA8E8D9B
23:31:56:312 0924 IRP_MJ_WRITE : BA8E8D9B
23:31:56:312 0924 IRP_MJ_QUERY_INFORMATION : 804F4476
23:31:56:312 0924 IRP_MJ_SET_INFORMATION : 804F4476
23:31:56:312 0924 IRP_MJ_QUERY_EA : 804F4476
23:31:56:312 0924 IRP_MJ_SET_EA : 804F4476
23:31:56:312 0924 IRP_MJ_FLUSH_BUFFERS : BA8E9366
23:31:56:312 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:31:56:312 0924 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:31:56:312 0924 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:31:56:312 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:31:56:312 0924 IRP_MJ_DEVICE_CONTROL : BA8E944D
23:31:56:312 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECFC3
23:31:56:312 0924 IRP_MJ_SHUTDOWN : BA8E9366
23:31:56:312 0924 IRP_MJ_LOCK_CONTROL : 804F4476
23:31:56:312 0924 IRP_MJ_CLEANUP : 804F4476
23:31:56:312 0924 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:31:56:312 0924 IRP_MJ_QUERY_SECURITY : 804F4476
23:31:56:312 0924 IRP_MJ_SET_SECURITY : 804F4476
23:31:56:312 0924 IRP_MJ_POWER : BA8EAEF3
23:31:56:312 0924 IRP_MJ_SYSTEM_CONTROL : BA8EFA24
23:31:56:312 0924 IRP_MJ_DEVICE_CHANGE : 804F4476
23:31:56:312 0924 IRP_MJ_QUERY_QUOTA : 804F4476
23:31:56:312 0924 IRP_MJ_SET_QUOTA : 804F4476
23:31:56:406 0924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:31:56:406 0924
23:31:56:406 0924 Driver Name: Disk
23:31:56:406 0924 IRP_MJ_CREATE : BA8EEC30
23:31:56:406 0924 IRP_MJ_CREATE_NAMED_PIPE : 804F4476
23:31:56:406 0924 IRP_MJ_CLOSE : BA8EEC30
23:31:56:406 0924 IRP_MJ_READ : BA8E8D9B
23:31:56:406 0924 IRP_MJ_WRITE : BA8E8D9B
23:31:56:406 0924 IRP_MJ_QUERY_INFORMATION : 804F4476
23:31:56:406 0924 IRP_MJ_SET_INFORMATION : 804F4476
23:31:56:406 0924 IRP_MJ_QUERY_EA : 804F4476
23:31:56:406 0924 IRP_MJ_SET_EA : 804F4476
23:31:56:406 0924 IRP_MJ_FLUSH_BUFFERS : BA8E9366
23:31:56:406 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4476
23:31:56:406 0924 IRP_MJ_SET_VOLUME_INFORMATION : 804F4476
23:31:56:406 0924 IRP_MJ_DIRECTORY_CONTROL : 804F4476
23:31:56:406 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4476
23:31:56:406 0924 IRP_MJ_DEVICE_CONTROL : BA8E944D
23:31:56:406 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECFC3
23:31:56:406 0924 IRP_MJ_SHUTDOWN : BA8E9366
23:31:56:406 0924 IRP_MJ_LOCK_CONTROL : 804F4476
23:31:56:406 0924 IRP_MJ_CLEANUP : 804F4476
23:31:56:406 0924 IRP_MJ_CREATE_MAILSLOT : 804F4476
23:31:56:406 0924 IRP_MJ_QUERY_SECURITY : 804F4476
23:31:56:406 0924 IRP_MJ_SET_SECURITY : 804F4476
23:31:56:406 0924 IRP_MJ_POWER : BA8EAEF3
23:31:56:406 0924 IRP_MJ_SYSTEM_CONTROL : BA8EFA24
23:31:56:406 0924 IRP_MJ_DEVICE_CHANGE : 804F4476
23:31:56:406 0924 IRP_MJ_QUERY_QUOTA : 804F4476
23:31:56:406 0924 IRP_MJ_SET_QUOTA : 804F4476
23:31:56:406 0924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:31:56:406 0924
23:31:56:406 0924 Driver Name: nvata
23:31:56:406 0924 IRP_MJ_CREATE : 89C338D4
23:31:56:406 0924 IRP_MJ_CREATE_NAMED_PIPE : 89C338D4
23:31:56:406 0924 IRP_MJ_CLOSE : 89C338D4
23:31:56:406 0924 IRP_MJ_READ : 89C338D4
23:31:56:406 0924 IRP_MJ_WRITE : 89C338D4
23:31:56:406 0924 IRP_MJ_QUERY_INFORMATION : 89C338D4
23:31:56:406 0924 IRP_MJ_SET_INFORMATION : 89C338D4
23:31:56:406 0924 IRP_MJ_QUERY_EA : 89C338D4
23:31:56:406 0924 IRP_MJ_SET_EA : 89C338D4
23:31:56:406 0924 IRP_MJ_FLUSH_BUFFERS : 89C338D4
23:31:56:406 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 89C338D4
23:31:56:406 0924 IRP_MJ_SET_VOLUME_INFORMATION : 89C338D4
23:31:56:406 0924 IRP_MJ_DIRECTORY_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_DEVICE_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_SHUTDOWN : 89C338D4
23:31:56:406 0924 IRP_MJ_LOCK_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_CLEANUP : 89C338D4
23:31:56:406 0924 IRP_MJ_CREATE_MAILSLOT : 89C338D4
23:31:56:406 0924 IRP_MJ_QUERY_SECURITY : 89C338D4
23:31:56:406 0924 IRP_MJ_SET_SECURITY : 89C338D4
23:31:56:406 0924 IRP_MJ_POWER : 89C338D4
23:31:56:406 0924 IRP_MJ_SYSTEM_CONTROL : 89C338D4
23:31:56:406 0924 IRP_MJ_DEVICE_CHANGE : 89C338D4
23:31:56:406 0924 IRP_MJ_QUERY_QUOTA : 89C338D4
23:31:56:406 0924 IRP_MJ_SET_QUOTA : 89C338D4
23:31:56:406 0924 Driver "nvata" infected by TDSS rootkit!
23:31:56:421 0924 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: 1
23:31:56:421 0924 File "C:\WINDOWS\system32\DRIVERS\nvata.sys" infected by TDSS rootkit ... 23:31:56:421 0924 Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
23:31:56:421 0924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
23:31:56:437 0924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
23:31:56:453 0924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\ServicePackFiles\*) error 3
23:31:56:453 0924 !fdfb7
23:31:56:484 0924 !vfvi8
23:31:56:484 0924 !vdf6
23:31:56:484 0924 Backup copy not found, trying to cure infected file..
23:31:56:484 0924 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Cure failed (0)
23:31:56:484 0924 cure failed
23:31:56:484 0924
23:31:56:484 0924 Completed
23:31:56:484 0924
23:31:56:484 0924 Results:
23:31:56:484 0924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:31:56:484 0924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:31:56:484 0924 File objects infected / cured / cured on reboot: 1 / 0 / 0
23:31:56:484 0924
23:31:56:484 0924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:31:56:484 0924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:31:56:484 0924 KLMD(ARK) unloaded successfully

johnn2009 0 Newbie Poster · Answer 2 · 2010-05-05T10:02:25+00:00

johnn2009 0 Newbie Poster

13 Years Ago

Removed by Mod.

Edited 13 Years Ago by crunchie because: Wrong advice

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 3 · 2010-05-05T10:27:18+00:00

Hi John and thanks for the reply,

Please follow the link I provided in my first post.

kkevinchou 0 Newbie Poster · Answer 4 · 2010-05-05T10:47:24+00:00

Removed by Mod.

Thanks for the help, here's the log:

ComboFix 10-05-04.04 - Kevin 05/05/2010 0:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1562 [GMT -4:00]
Running from: d:\d storage\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 100504-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\flG32.dll
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\msconfig.exe
c:\windows\wpe pro.INI

c:\windows\system32\DRIVERS\nvata.sys . . . is infected!!

c:\windows\system32\srsvc.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 04:28 . 2010-05-05 04:28 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Threat Expert
2010-05-05 03:22 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-05 03:22 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-05 03:22 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-05 03:22 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-05-05 03:22 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-05-05 03:22 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-05-05 03:21 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-05 03:21 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-05 03:21 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-05 03:21 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-05 03:20 . 2010-05-05 03:22 -------- d-----w- c:\program files\Common Files\PC Tools
2010-05-05 03:20 . 2010-05-05 03:20 -------- d-----w- c:\documents and settings\Kevin\Application Data\PC Tools
2010-05-05 03:20 . 2010-05-05 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-05-04 00:40 . 2010-05-04 00:40 666112 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv306hw-1003220-0-main.dll
2010-05-04 00:40 . 2010-05-04 00:40 319488 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2010-05-03 05:44 . 2010-05-03 05:44 105344 ----a-w- c:\windows\system32\drivers\ysnkwkaz.sys
2010-05-03 05:13 . 2010-05-03 05:44 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-03 01:36 . 2010-05-03 01:36 38784 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-05-02 19:25 . 2010-05-02 19:26 -------- d-----w- c:\program files\iTunes
2010-05-02 19:23 . 2010-05-02 19:23 -------- d-----w- c:\program files\Bonjour
2010-05-02 19:22 . 2010-05-02 19:22 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-26 05:24 . 2010-04-26 05:28 -------- d-----w- C:\fixwareout
2010-04-21 05:11 . 2010-05-03 04:33 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Temp
2010-04-09 02:46 . 2010-04-09 02:46 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\Rawr
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 04:51 . 2010-04-06 05:14 -------- d-----w- c:\windows\BDOSCAN8
2010-04-05 23:27 . 2010-04-05 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 04:39 . 2009-01-04 12:47 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-04 05:23 . 2010-03-23 02:52 -------- d-----w- c:\documents and settings\Kevin\Application Data\vlc
2010-05-04 02:37 . 2009-10-06 03:10 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2010-05-03 15:18 . 2008-07-12 00:58 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2010-05-03 04:11 . 2010-04-02 07:54 -------- d-----w- c:\program files\Google
2010-05-03 01:36 . 2008-11-28 06:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-05-02 19:25 . 2008-07-11 14:49 -------- d-----w- c:\program files\iPod
2010-05-02 19:25 . 2008-07-11 15:08 -------- d-----w- c:\program files\Common Files\Apple
2010-04-30 00:49 . 2009-09-19 21:33 -------- d-----w- c:\documents and settings\Kevin\Application Data\DivX
2010-04-02 07:56 . 2009-08-05 02:38 -------- d-----w- c:\program files\DivX
2010-04-02 07:56 . 2010-04-02 07:56 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-04-02 07:56 . 2010-04-02 07:56 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-04-02 07:56 . 2010-04-02 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-02 07:56 . 2010-04-02 07:56 57677 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-04-02 07:56 . 2010-04-02 07:56 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-04-02 07:56 . 2010-04-02 07:56 84035 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-04-02 07:54 . 2010-04-02 07:54 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-04-02 07:53 . 2010-04-02 07:56 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-04-02 07:53 . 2010-04-02 07:56 986904 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-03-28 22:35 . 2010-03-28 22:35 1925088 ----a-w- c:\documents and settings\Kevin\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2010-03-23 02:54 . 2009-06-01 02:13 -------- d-----w- c:\program files\uTorrent
2010-03-22 03:01 . 2010-03-22 03:01 -------- d-----w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2010-03-22 03:01 . 2010-03-22 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-20 17:31 . 2010-03-20 17:31 35 ----a-w- c:\windows\Fonts\m.dat
2010-03-16 22:44 . 2008-07-11 14:16 70840 ----a-w- c:\documents and settings\Kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-16 02:38 . 2009-08-22 01:33 1680160 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2010-03-16 02:37 . 2010-03-16 02:37 -------- d-----w- c:\program files\Microsoft SQL Server
2010-03-16 02:34 . 2010-03-16 02:34 -------- d-----w- c:\program files\Business Objects
2010-03-16 02:34 . 2010-03-16 02:33 -------- d-----w- c:\program files\Windows Mobile 5.0 SDK R2
2010-03-16 02:32 . 2010-03-16 02:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-03-16 02:32 . 2010-03-16 02:32 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-03-16 02:31 . 2006-10-03 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-16 02:31 . 2009-08-22 01:33 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2010-03-16 02:28 . 2010-03-16 02:21 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-03-16 02:28 . 2010-03-16 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2010-03-16 02:24 . 2010-03-16 02:21 -------- d-----w- c:\program files\HTML Help Workshop
2010-03-16 02:24 . 2006-10-03 14:35 -------- d-----w- c:\program files\MSBuild
2010-03-16 02:21 . 2010-03-16 02:21 -------- d-----w- c:\program files\Microsoft.NET
2010-03-16 02:21 . 2010-03-16 02:21 -------- d-----w- c:\program files\Microsoft SDKs
2010-03-16 02:21 . 2010-03-16 02:21 -------- d-----w- c:\program files\CE Remote Tools
2010-03-16 02:20 . 2010-03-16 02:20 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-27 05:15 . 2010-02-27 05:15 64340 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\srsvc.dll

c:\windows\System32\srsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-03 136176]
"Steam"="d:\program files d\Steam\Steam.exe" [2010-05-03 1238352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-07-20 847872]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-10 709992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-03-05 1135912]
"QuickTime Task"="d:\program files d\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
winmpa.exe [2009-11-21 862568]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Kevin\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2007-08-23 23:00 33648 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 06:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-12-05 01:41 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-12-05 01:41 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-07-20 21:04 847872 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-09 20:27 144784 ----a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000]
2007-04-10 21:46 709992 ----a-w- c:\windows\vVX1000.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"MSCamSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"COMSysApp"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"ALG"=2 (0x2)
"npggsvc"=3 (0x3)
"matlabserver"=2 (0x2)
"fsssvc"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"CryptSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files D\\SopCast\\adv\\SopAdver.exe"=
"d:\\Program Files D\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Kevin\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files D\\Steam\\Steam.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58935:TCP"= 58935:TCP:Pando Media Booster
"58935:UDP"= 58935:UDP:Pando Media Booster
"6000:UDP"= 6000:UDP:GGPO
"6001:UDP"= 6001:UDP:GGPO
"6002:UDP"= 6002:UDP:GGPO
"6004:UDP"= 6004:UDP:GGPO
"6003:UDP"= 6003:UDP:GGPO
"6005:UDP"= 6005:UDP:GGPO
"6006:UDP"= 6006:UDP:GGPO
"6007:UDP"= 6007:UDP:GGPO
"6008:UDP"= 6008:UDP:GGPO
"6009:UDP"= 6009:UDP:GGPO

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/4/2010 11:21 PM 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/11/2008 10:03 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/11/2008 10:03 AM 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;d:\program files d\Spyware Doctor\BDT\BDTUpdateService.exe [5/4/2010 11:22 PM 112592]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Kevin\LOCALS~1\Temp\SGU27D.tmp --> c:\docume~1\Kevin\LOCALS~1\Temp\SGU27D.tmp [?]
S3 sdAuxService;PC Tools Auxiliary Service;d:\program files d\Spyware Doctor\pctsAuxs.exe [5/4/2010 11:21 PM 365280]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [11/16/2009 12:10 AM 95376]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys --> c:\windows\system32\DRIVERS\VBoxNetFlt.sys [?]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [7/8/2008 11:45 PM 11696]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/16/2008 8:45 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2000478354-1801674531-1003Core.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-03 04:33]

2010-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-606747145-2000478354-1801674531-1003UA.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-03 04:33]

2009-07-23 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 21:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninjavideo.net/
uInternet Connection Wizard,ShellNext = hxxp://www.114la.com/index.htm
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\vhm1b2pi.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin6.dll
FF - plugin: d:\program files d\QuickTime\Plugins\npqtplugin7.dll
FF - plugin: d:\program files d\Veetle\Player\npvlc.dll
FF - plugin: d:\program files d\Veetle\plugins\npVeetle.dll
FF - plugin: d:\program files d\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files d\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files d\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files d\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files d\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files d\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files d\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files d\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files d\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-Comrade - c:\program files\GameSpy\Comrade\Comrade.exe
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-mount - c:\program files\moveonboot\mount.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-sysldtray - c:\windows\ld08.exe
ActiveSetup-{233807B5-2H70-13D0-A31Q-00BB00B32C03} - c:\windows\fonts\winlgoon.exe
AddRemove-GTK 2.0 - c:\program files\Pidgin\2.0\uninst.exe
AddRemove-World of Warcraft - c:\program files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 00:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Kevin\LOCALS~1\Temp\SGU27D.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-606747145-2000478354-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,d7,b7,0c,de,5a,2b,6e,05,95,9f,bc,ed,0d,47,52,79,74,ce,f6,28,21,d8,
84,e5,84,6a,e1,40,fb,cf,1b,a0,63,5f,cf,39,40,c9,fa,78,ed,11,56,45,b8,e2,3f,\
"??"=hex:98,fa,95,ab,26,31,88,4f,06,6b,90,4e,ff,dc,68,8c

[HKEY_USERS\S-1-5-21-606747145-2000478354-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:18,6f,31,9d,ab,b6,38,76,f8,8c,18,59,fe,fa,81,22,ab,0b,5c,c3,72,
2c,d3,dc,32,52,00,20,1d,b3,2e,2f,0c,75,43,92,80,bd,70,31,58,e1,4d,fe,33,59,\
"rkeysecu"=hex:c7,1c,f2,dd,04,48,03,28,eb,7e,dc,6c,f3,2b,c7,1a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(504)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-05-05 00:44:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 04:44

Pre-Run: 7,965,515,776 bytes free
Post-Run: 7,993,069,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - D51CC6BE663B208B2ACAA5EDC7E43E65

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2010-05-05T14:22:35+00:00

Please follow the link I provided in my first post.

Please do this to receive more assistance.

Google search results being redirected - Hijack log posted, Thanks!

Recommended Answers Collapse Answers

All 7 Replies

Recommended Answers