browser redirect

(3 Pages)
←
1
2
3
→

You cannot start a new topic
This topic is locked

#16 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 08 June 2009 - 01:33 AM

Nothing suspicious here either...

Can you run Combofix once again please? Post the log in your next reply.

Also, do you use a router?

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

Back to top of the page up there ^
MultiQuote
Reply

#17 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 08 June 2009 - 08:15 PM

yes I use a router.

I ran another combofix scan (report below). I also re-ran a few other scans: AVG and my new Avast each came up empty, Malwarebytes said it removed Win32:rootkit-gen RTK and rogue.syscleaner pro. the problem still remains, however. It affects both IE and firefox, redirecting some links on search result pages. Sometimes I get the same re-direct result several times in a row.

I also reviewed these threads and none of the actions suggested made a difference:

http://freeforum.avg...,backpage=3,sv= (my AVG wouldn't update, need to do it manually now)
http://forums.mozill...h...8&t=1085175 (but no overlay.xul in the suggested spot)
http://howbits.com/p...-google-search/ (tried as suggested, no result)
http://www.geekstogo...ed-t228573.html (not any help?)

BTW, I can run regedit, cmd, and msconfig, if that means anything.

***sigh*** any other suggestions?

------------------------------

ComboFix 09-05-31.06 - Dad 06/08/2009 19:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -5:00]
Running from: c:\documents and settings\Dad\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090608-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))
.

2009-06-08 19:18 . 2009-06-08 19:42 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-08 04:59 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-08 04:59 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-08 04:59 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-08 04:59 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-08 04:59 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-08 04:59 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-08 04:59 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-08 04:59 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-08 04:59 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-08 04:59 . 2009-06-08 04:59 -------- d-----w- c:\program files\Alwil Software
2009-06-08 00:44 . 2009-06-08 00:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-08 00:44 . 2009-06-08 00:44 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-08 00:44 . 2009-06-08 00:44 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-08 00:44 . 2009-06-08 00:44 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-08 00:44 . 2009-06-08 04:53 -------- d-----w- c:\documents and settings\Dad\Application Data\AVGTOOLBAR
2009-06-08 00:44 . 2009-06-08 01:10 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-08 00:44 . 2009-06-08 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-06 22:08 . 2009-06-06 22:11 -------- d-----w- C:\Rootrepeal
2009-06-06 16:49 . 2009-06-06 16:50 -------- d-----w- C:\HostsExpert
2009-06-02 21:46 . 2009-06-02 21:46 -------- d-----w- c:\program files\Trend Micro
2009-06-02 21:39 . 2009-06-02 21:28 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-02 21:28 . 2009-06-02 21:28 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-02 21:28 . 2009-06-02 21:28 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-02 21:28 . 2009-06-02 21:28 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-02 21:28 . 2009-06-02 21:28 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-02 21:28 . 2009-06-02 21:28 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-02 21:28 . 2009-06-02 21:28 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-02 21:28 . 2009-06-02 21:28 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-02 21:28 . 2009-06-02 21:28 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-02 21:28 . 2009-06-02 21:28 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-02 21:25 . 2009-06-02 21:25 -------- d-----w- c:\program files\Lavasoft
2009-06-02 13:07 . 2009-06-02 13:13 122763 ----a-w- C:\MGlogs.zip
2009-06-02 13:07 . 2009-06-02 13:13 -------- d-----w- C:\MGtools
2009-06-02 05:02 . 2009-06-08 23:53 117760 ----a-w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-02 05:01 . 2009-06-02 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-02 05:01 . 2009-06-02 05:01 65024 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-06-02 05:01 . 2009-06-02 05:01 18944 ----a-r- c:\documents and settings\Dad\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-06-02 05:01 . 2009-06-08 03:51 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-02 05:01 . 2009-06-02 05:01 -------- d-----w- c:\documents and settings\Dad\Application Data\SUPERAntiSpyware.com
2009-06-02 04:59 . 2009-06-02 04:59 1342151 ----a-w- C:\MGtools.exe
2009-06-02 04:37 . 2009-06-02 04:37 -------- d-----w- c:\program files\CCleaner
2009-06-01 22:48 . 2009-06-01 22:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\documents and settings\Dad\Application Data\Malwarebytes
2009-06-01 12:32 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-01 12:32 . 2009-06-01 12:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-01 12:32 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 19:21 . 2008-04-14 00:12 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll
2009-05-27 23:03 . 2009-05-16 00:36 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-05-27 23:03 . 2009-05-27 23:03 -------- d-----w- c:\program files\ffdshow
2009-05-19 22:13 . 2009-06-05 04:11 -------- d-----w- c:\program files\PokerStars.NET
2009-05-12 22:05 . 2009-05-12 22:05 -------- d-----w- c:\program files\Combined Community Codec Pack
2009-05-10 23:44 . 2009-05-10 23:44 -------- d-----w- c:\documents and settings\Ryan\Local Settings\Application Data\ArcSoft
2009-05-10 23:44 . 2009-05-10 23:44 -------- d-----w- c:\documents and settings\Ryan\Application Data\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-07 19:40 . 2007-02-23 23:04 -------- d-----w- c:\documents and settings\Shannon\Application Data\OpenOffice.org2
2009-06-07 19:32 . 2006-11-04 20:10 -------- d-----w- c:\documents and settings\Nicky\Application Data\OpenOffice.org2
2009-06-02 21:28 . 2009-06-02 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-02 21:28 . 2009-06-02 21:28 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-02 21:28 . 2009-06-02 21:28 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-02 21:28 . 2009-06-02 21:28 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-02 21:27 . 2009-06-02 21:27 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-02 21:27 . 2009-06-02 21:27 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-02 21:27 . 2009-06-02 21:27 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-02 21:27 . 2009-06-02 21:27 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-02 21:27 . 2009-06-02 21:27 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-02 21:27 . 2009-06-02 21:27 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-02 21:27 . 2009-06-02 21:27 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-02 21:25 . 2009-06-02 21:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 05:00 . 2005-07-22 01:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 04:50 . 2006-09-15 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-01 22:47 . 2005-03-07 05:32 -------- d-----w- c:\program files\Java
2009-05-31 14:32 . 2007-02-13 02:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 02:23 . 2009-01-31 21:19 -------- d-----w- c:\documents and settings\Shannon\Application Data\U3
2009-05-17 15:33 . 2008-08-29 01:23 -------- d-----w- c:\documents and settings\Dad\Application Data\uTorrent
2009-05-16 00:36 . 2007-06-08 22:52 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-05-07 12:03 . 2009-04-17 22:34 -------- d-----w- c:\documents and settings\Dad\Application Data\ArcSoft
2009-05-06 23:16 . 2005-03-06 23:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-19 21:55 . 2006-06-19 02:53 -------- d-----w- c:\documents and settings\Dad\Application Data\OpenOffice.org2
2009-04-19 18:08 . 2008-04-12 00:35 1 ----a-w- c:\documents and settings\Dad\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-04-19 11:15 . 2009-04-15 01:21 -------- d-----w- c:\documents and settings\Nicky\Application Data\ArcSoft
2009-04-19 00:20 . 2009-04-15 01:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-04-17 22:59 . 2009-04-17 22:59 -------- d-----w- c:\documents and settings\Shannon\Application Data\ArcSoft
2009-04-17 02:23 . 2005-03-07 00:51 -------- d-----w- c:\documents and settings\Dad\Application Data\teamspeak2
2009-04-15 04:43 . 2005-03-09 03:36 -------- d-----w- c:\documents and settings\Dad\Application Data\CoreFTP
2009-04-15 01:14 . 2009-04-15 01:13 -------- d-----w- c:\program files\ArcSoft
2009-04-15 01:14 . 2009-04-15 01:13 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-04-15 01:12 . 2009-04-15 01:12 -------- d-----w- c:\documents and settings\Nicky\Application Data\InstallShield
2009-04-13 01:54 . 2009-03-19 02:49 1 ----a-w- c:\documents and settings\Nicky\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-03-12 08:17 . 2009-06-02 21:25 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2008-07-17 20:10 . 2008-07-17 20:10 16 ---ha-w- c:\program files\Common Files\mxfilerelatedcache.mxc2
2008-07-17 20:10 . 2008-07-17 20:09 16 ---ha-w- c:\program files\mxfilerelatedcache.mxc2
2007-01-04 18:55 . 2008-03-26 23:48 134624 ------w- c:\program files\uninstall.exe
2003-02-21 13:42 . 2006-08-04 04:43 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-04_03.49.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-08 23:50 . 2009-06-08 23:50 16384 c:\windows\Temp\Perflib_Perfdata_5d4.dat
+ 2009-06-08 23:51 . 2009-06-08 23:51 16384 c:\windows\Temp\Perflib_Perfdata_4cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-09 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe" [2006-10-04 86016]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-02 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-08 1947928]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-04-09 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" - c:\windows\MIDIDEF.EXE [2005-12-08 25600]

c:\documents and settings\Shannon\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\Nicky\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-08 00:44 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroCheck"=c:\windows\system32\NeroCheck.exe
"HPDJ Taskbar Utility"=c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\PocketSoft\\RTPatch\\AutoRTP\\artpschd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CoreFTP\\coreftp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/2/2009 4:28 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/7/2009 11:59 PM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/7/2009 7:44 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/7/2009 7:44 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [3/26/2008 7:27 PM 108768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/7/2009 11:59 PM 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/7/2009 7:44 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/7/2009 7:44 PM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1005904]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [5/13/2006 11:06 PM 70016]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
R3 scrcap;scrcap;c:\windows\system32\drivers\scrcap.sys [12/27/2006 9:47 AM 9006]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [3/10/2006 4:55 PM 39424]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [4/7/2008 11:31 PM 1527900]
S3 musbehco;musbehco;\??\c:\docume~1\Nicky\LOCALS~1\Temp\musbehco.sys --> c:\docume~1\Nicky\LOCALS~1\Temp\musbehco.sys [?]
S3 SNPP202;PC Camera (6028 VGA);c:\windows\system32\drivers\snpp202.sys [3/7/2005 2:21 AM 236544]
S3 UPnPService;UPnPService;c:\program files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [4/7/2008 11:33 PM 544768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:27]

2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.(removed by me)/
uInternet Connection Wizard,ShellNext = iexplore
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
TCP: {5D896401-9E75-415E-8EB3-FF981E8333CE} = 208.67.222.222,208.67.220.220
TCP: {99883876-42A0-4CA8-94FB-1D6F080213F6} = 208.67.222.222,208.67.220.220
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Dad\Application Data\Mozilla\Firefox\Profiles\trl5gxbp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.(removed by me).
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPipelineLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npq3px.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 19:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,b2,cf,ab,0f,89,
f9,6c,cc,c8,28,51,af,b0,29,a3,98,c3,13,8e,a0,e7,a2,06,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,47,87,06,0c,09,
ba,f7,12,71,3b,04,66,8b,46,0d,96,ed,b1,6e,e8,4a,2a,1e,e5,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f7,11,82,26,37,
23,12,eb,25,da,ec,7e,55,20,c9,26,23,00,9e,33,96,2b,e1,69,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,38,8a,44,49,0a,
26,03,9f,3e,1e,9e,e0,57,5a,93,61,eb,a3,14,b9,7c,9e,9d,4e,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,26,28,5a,c5,3c,
50,53,62,cd,44,cd,b9,a6,33,6c,cd,54,a9,22,a7,2b,71,18,f0,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,31,eb,78,f6,7c,
3c,5a,d3,b0,18,ed,a7,3f,8d,37,a4,16,56,fb,64,2d,fd,b0,b3,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,35,f3,f4,03,51,
cc,f3,ed,31,77,e1,ba,b1,f8,68,02,a4,ed,d2,8d,34,ea,5c,53,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,38,98,85,b6,7b,
a7,cf,a8,83,6c,56,8b,a0,85,96,ab,ce,3e,02,e2,a6,f2,81,7b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,6b,72,07,11,67,
e3,3d,dd,51,fa,6e,91,28,9e,14,cc,7c,d9,ee,b0,01,37,6b,f9,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,75,a6,45,a0,58,
25,72,47,b1,cd,45,5a,a8,c4,f8,b9,4f,50,ea,c1,66,42,be,29,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,33,17,21,6d,58,
e6,de,73,e3,0e,66,d5,eb,bc,2f,6b,df,d9,fd,79,43,f8,ef,ed,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,27,5b,f4,b9,e5,
61,c3,15,fa,ea,66,7f,d4,3b,6b,70,d2,15,d3,e6,c9,67,38,f5,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-09 20:01
ComboFix-quarantined-files.txt 2009-06-09 01:01
ComboFix2.txt 2009-06-04 03:55
ComboFix3.txt 2009-06-02 13:01

Pre-Run: 20,638,863,360 bytes free
Post-Run: 20,843,974,656 bytes free

314 --- E O F --- 2009-05-28 23:26

Back to top of the page up there ^
MultiQuote
Reply

#18 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 09 June 2009 - 12:08 AM

Hi,

Can you remove the multiple Antivirus, because they cause extra problems and interfere with detections. More than 1 Antivirus is not recommended. So uninstall AVG or Avast.
Then reboot.

Then go to start > run and copy and paste the following command:

sc delete musbehco

Hit enter

This really looks like a DNS Hijack issue though...
Or something is still hidden there, or your router got "spoofed" and needs a reset.

Let's look at what may be still hidden there...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.majorgeek...GMER_d5198.html

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
In case the log is too big, attach it, or upload it here: http://www.bleepingc...e.php?channel=8

Warning ! Please, do not select the "Show all" checkbox during the scan.

Also, in case, IF there's still malware hidden there and it "locks" gmer detection, also do next, so I can compare logs:

Please create a BOOTLOG

Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
Select "Enable Boot Logging" option and press enter.
Windows prompts you to select a Windows Installation (even if there is only one windows installation)
This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

If you're already running inside Windows you can enable it the following way.
Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
Click on OK and you will be prompted to RESTART Windows. Please do restart now.
After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.

It may be better to attach or upload this log as well as it may be long. See link I posted earlier.

Back to top of the page up there ^
MultiQuote
Reply

#19 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 09 June 2009 - 07:26 AM

Gmer seemed to run fine. Here's the report:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-09 07:24:36
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76D387E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76D3BFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF3D72DF0]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Maxtor\Sync\SyncServices.exe[216] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Maxtor\Sync\SyncServices.exe[216] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\Explorer.EXE[600] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[600] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\winlogon.exe[752] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[752] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\services.exe[796] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[796] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\lsass.exe[808] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[808] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[980] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[980] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1044] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1044] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1112] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\AVG\AVG8\avgnsx.exe[1112] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\nvsvc32.exe[1124] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\nvsvc32.exe[1124] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1140] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1140] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1240] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1240] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\svchost.exe[1336] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[1336] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1376] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1376] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\spoolsv.exe[1508] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\spoolsv.exe[1508] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1628] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\PROGRA~1\AVG\AVG8\avgemc.exe[1628] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[1756] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1756] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1820] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1820] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Java\jre6\bin\jqs.exe[2032] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Java\jre6\bin\jqs.exe[2032] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\wbem\unsecapp.exe[2452] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\wbem\unsecapp.exe[2452] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\alg.exe[2464] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\alg.exe[2464] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2632] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\wbem\wmiprvse.exe[2632] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\iTunes\iTunesHelper.exe[3024] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\iTunes\iTunesHelper.exe[3024] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3120] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3120] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Java\jre6\bin\jusched.exe[3156] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Java\jre6\bin\jusched.exe[3156] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[3364] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[3364] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\System32\svchost.exe[3700] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[3700] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\WINDOWS\system32\wuauclt.exe[3816] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\WINDOWS\system32\wuauclt.exe[3816] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\Messenger\msmsgs.exe[3892] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\Messenger\msmsgs.exe[3892] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3924] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12153, 0xE0000040]
.data C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[3924] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC41A1]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.cr2@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.crw@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.dng@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.nef@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.psf@ MediaImpression Photo File
Reg HKLM\SOFTWARE\Classes\.slw@ SLWFile
Reg HKLM\SOFTWARE\Classes\.tpf@ tpf_auto_file
Reg HKLM\SOFTWARE\Classes\.veg@ veg_auto_file
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler@ ArcHWEventHandler Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler\CLSID@ {F263A5CC-9B97-46AD-8CD1-A2A34BE79049}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler\CurVer@ ArcWmdmMgrCom.ArcHWEventHandler.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler.1@ ArcHWEventHandler Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcHWEventHandler.1\CLSID@ {F263A5CC-9B97-46AD-8CD1-A2A34BE79049}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev@ ArcWmdmDev Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev\CLSID@ {E4771AC6-9154-4952-A3E4-C9C9FF9FE622}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev\CurVer@ ArcWmdmMgrCom.ArcWmdmDev.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev.1@ ArcWmdmDev Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmDev.1\CLSID@ {E4771AC6-9154-4952-A3E4-C9C9FF9FE622}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr@ ArcWmdmMgr Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr\CLSID@ {970436E5-F0D8-411F-8650-F095B5363891}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr\CurVer@ ArcWmdmMgrCom.ArcWmdmMgr.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr.1@ ArcWmdmMgr Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmMgr.1\CLSID@ {970436E5-F0D8-411F-8650-F095B5363891}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler@ ArcWmdmProgressHandler Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler\CLSID@ {194691CA-7070-40B1-A6EF-FE51B211CC5E}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler\CurVer@ ArcWmdmMgrCom.ArcWmdmProgressHandler.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler.1@ ArcWmdmProgressHandler Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmProgressHandler.1\CLSID@ {194691CA-7070-40B1-A6EF-FE51B211CC5E}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg@ ArcWmdmStg Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg\CLSID@ {6F56B2F0-C7B8-4115-9083-E9BE8B3CC458}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg\CurVer@ ArcWmdmMgrCom.ArcWmdmStg.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg.1@ ArcWmdmStg Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmdmStg.1\CLSID@ {6F56B2F0-C7B8-4115-9083-E9BE8B3CC458}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr@ ArcWmfMgr Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr\CLSID@ {6E574235-86F7-4458-9069-96BECC0A0674}
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr\CurVer
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr\CurVer@ ArcWmdmMgrCom.ArcWmfMgr.1
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr.1@ ArcWmfMgr Class
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr.1\CLSID
Reg HKLM\SOFTWARE\Classes\ArcWmdmMgrCom.ArcWmfMgr.1\CLSID@ {6E574235-86F7-4458-9069-96BECC0A0674}
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5@ Bebo Uploader Control
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5\CLSID@ {138E6DC9-722B-4F4B-B09D-95D191869696}
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5\CurVer
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5\CurVer@ BeboInc.BeboUploader.5.1
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5.1@ Bebo Uploader Control
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5.1\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5.1\CLSID@ {138E6DC9-722B-4F4B-B09D-95D191869696}
Reg HKLM\SOFTWARE\Classes\BeboInc.BeboUploader.5.1\Insertable
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5@ Bebo Uploader Combo Control
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5\CLSID@ {8BEB6B85-CEAE-4A1F-88CF-07872E873D35}
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5\CurVer
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5\CurVer@ BeboInc.ShellCombo.5.1
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5.1@ Bebo Uploader Combo Control
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5.1\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.ShellCombo.5.1\CLSID@ {8BEB6B85-CEAE-4A1F-88CF-07872E873D35}
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5@ Bebo Uploader Thumbnail Control
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5\CLSID@ {A2FB946C-D049-4A25-BB5A-CAF9EB4B11AA}
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5\CurVer
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5\CurVer@ BeboInc.Thumbnail.5.1
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5.1@ Bebo Uploader Thumbnail Control
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5.1\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.Thumbnail.5.1\CLSID@ {A2FB946C-D049-4A25-BB5A-CAF9EB4B11AA}
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5@ Bebo Uploader UploadPane Control
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5\CLSID@ {C8109B02-45BF-4E8E-A665-8C71B142C416}
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5\CurVer
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5\CurVer@ BeboInc.UploadPane.5.1
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5.1@ Bebo Uploader UploadPane Control
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5.1\CLSID
Reg HKLM\SOFTWARE\Classes\BeboInc.UploadPane.5.1\CLSID@ {C8109B02-45BF-4E8E-A665-8C71B142C416}
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F023CBC7-B8BB-F594-D08E-FE3DB0A39F99}\InProcServer32@ C:\Program Files\Common Files\Microsoft Shared\Grphflt\fpx32.flt
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\DefaultIcon@ C:\Program Files\ArcSoft\MediaImpression\PhotoViewer.exe, 0
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open\command
Reg HKLM\SOFTWARE\Classes\MediaImpression Photo File\shell\open\command@ "C:\Program Files\ArcSoft\MediaImpression\PhotoViewer.exe" "%1"
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\DefaultIcon@ C:\Program Files\ArcSoft\MediaImpression\MediaPlayer.exe, 0
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open\command
Reg HKLM\SOFTWARE\Classes\MediaImpression Video/Music File\shell\open\command@ "C:\Program Files\ArcSoft\MediaImpression\MediaPlayer.exe" "%1"
Reg HKLM\SOFTWARE\Classes\MediaImpressionImport\shell
Reg HKLM\SOFTWARE\Classes\MediaImpressionImport\shell\open
Reg HKLM\SOFTWARE\Classes\MediaImpressionImport\shell\open\command
Reg HKLM\SOFTWARE\Classes\MediaImpressionImport\shell\open\command@ C:\Program Files\ArcSoft\MediaImpression\MediaImpression.exe -runtype {1} -cmd {A1FF7DD9-F5CE-400b-8464-D7C155D64C57} -param {%1}
Reg HKLM\SOFTWARE\Classes\SLWFile@ ArcSoft Slide Show File
Reg HKLM\SOFTWARE\Classes\SLWFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SLWFile\DefaultIcon@ C:\Program Files\ArcSoft\MediaImpression\SlideShowPlayer.exe,0
Reg HKLM\SOFTWARE\Classes\SLWFile\shell
Reg HKLM\SOFTWARE\Classes\SLWFile\shell\open
Reg HKLM\SOFTWARE\Classes\SLWFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SLWFile\shell\open\command@ C:\Program Files\ArcSoft\MediaImpression\SlideShowPlayer.exe "%1"
Reg HKLM\SOFTWARE\Classes\tpf_auto_file@
Reg HKLM\SOFTWARE\Classes\tpf_auto_file\shell
Reg HKLM\SOFTWARE\Classes\tpf_auto_file\shell\open
Reg HKLM\SOFTWARE\Classes\tpf_auto_file\shell\open\command
Reg HKLM\SOFTWARE\Classes\tpf_auto_file\shell\open\command@ "C:\Program Files\Guild Wars\Gw.exe" "%1"
Reg HKLM\SOFTWARE\Classes\veg_auto_file@
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell@ open
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\open
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\open@ &Open
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\open\command
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\open\command@ C:\Program Files\Windows Media Player\wmplayer.exe /Open "%L"
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\play
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\play@ &Play
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\play\command
Reg HKLM\SOFTWARE\Classes\veg_auto_file\shell\play\command@ C:\Program Files\Windows Media Player\wmplayer.exe /Play "%L"
Reg HKLM\SOFTWARE\Classes\vf_auto_file@
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell\Open
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell\Open@ Open
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell\Open\command
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell\Open\command@ "C:\Program Files\Sony\Vegas Movie Studio 8.0\VegasMovieStudio80.exe" "%1"
Reg HKLM\SOFTWARE\Classes\vf_auto_file\shell\Open\command@command R%}+Kfzc8A&puzs)Gl=pmain>qWSj7pn?+9~BhNDQ@?-j "%1"?

---- EOF - GMER 1.0.15 ----

BOOTLOG

Service Pack 3 6 9 2009 07:55:37.375
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\system32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\System32\DRIVERS\IntelC53.sys
Loaded driver \SystemRoot\System32\DRIVERS\IntelC51.sys
Loaded driver \SystemRoot\System32\DRIVERS\IntelC52.sys
Loaded driver \SystemRoot\System32\DRIVERS\mohfilt.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\e100b325.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\drivers\Afc.sys
Loaded driver \SystemRoot\System32\Drivers\cdrbsdrv.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\scrcap.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\drivers\WmBEnum.sys
Loaded driver \SystemRoot\system32\drivers\WmXlCore.sys
Loaded driver \SystemRoot\system32\DRIVERS\MarvinBus.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\drivers\hap16v2k.sys
Loaded driver \SystemRoot\system32\drivers\ha10kx2k.sys
Loaded driver \SystemRoot\system32\drivers\emupia2k.sys
Loaded driver \SystemRoot\system32\drivers\ctsfm2k.sys
Loaded driver \SystemRoot\system32\drivers\ctac32k.sys
Loaded driver \SystemRoot\system32\COMMONFX.DLL
Loaded driver \SystemRoot\system32\CTAUDFX.DLL
Loaded driver \SystemRoot\system32\CTSBLFX.DLL
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\pclepci.sys
Loaded driver \??\C:\WINDOWS\system32\npptNT2.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\system32\drivers\usbaudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\mxopswd.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\ASPI32.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \??\C:\WINDOWS\system32\drivers\ACEDRV08.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\drivers\enodpl.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\system32\drivers\tandpl.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

This post has been edited by vespid: 09 June 2009 - 08:08 AM

Back to top of the page up there ^
MultiQuote
Reply

#20 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 09 June 2009 - 07:48 AM

Hi,

Don't forget to post the other log as well

Then, when done...

Open notepad and copy and paste next present in the quotebox in it:

Quote

dir c:\WS2_32.dll /a h /s > look.txt
start notepad look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image

Doubleclick on it and notepad should open.
Copy and paste the contents of it in your next reply.

Back to top of the page up there ^
MultiQuote
Reply

#21 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 09 June 2009 - 08:12 AM

I added the bootlog onto the previous post.

I think I did your latest request correctly. This is what resulted in look.text:

Volume in drive C has no label.
Volume Serial Number is 2485-CFD8

Back to top of the page up there ^
MultiQuote
Reply

#22 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 09 June 2009 - 08:20 AM

That's strange about that latest one...
It should show at least two references and not empty.... Thats impossible.
Did you wait until the log opened automatically? Because it searches your entire C:\ for all references of WS2_32.dll and lists them in the log with filesize, date...

I can at least see the one in your Combofixlog, present in the dllcache:

2009-05-30 19:21 . 2008-04-14 00:12 82432 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll

And since that one was modified lately, it makes it extremely suspicious. This means that the main one, which is in use (present in system32- folder) could be modified as well, however I can't find it in your log. That's why I need to see that look.bat log result to compare them, because the one in the system32 folder *could be infected.

So please try again with the look.bat and really wait till it opens automatically. Also, make sure your Antivirus isn't interfering.

Btw, there's nothing suspicious in your previous logs.

The thing here also is, you have tried a lot of things on your own - so that's why it's extra confusing for me if I cannot see previous logs of the malware it already removed. That would have given at least a hint where exactly to look... or with what it came.
Also, the other confusing part is that I asked you previously to use the Kaspersky online scanner and you said it found a lot of malware and then it was clean again? This is so bizarre since Kaspersky online doesn't have the possibility to clean what it has found.
That's why it makes it a lot harder for me to troubleshoot/understand what's going on here since some things just don't make sense at all...

Back to top of the page up there ^
MultiQuote
Reply

#23 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 09 June 2009 - 08:14 PM

Sorry for the added confusion on all fronts. I lost that kapersky data because the computer locked up, so I told you what it said on the screen at that point and the result of the following scan. I did nothing inbetween and have no explanation. Sorry for the other issues I've caused, I'm just used to fixing my own problems and can't believe you keep taking this time to help me! I do truly appreciate it and from now on will try to help you help me as best I can.

I also didn't wait for notepad to open up the last time on the looktext thing. I saw the cmd window open up and the txt file formed, and just copy/pasted that prematurely. Here is a completed result:

Volume in drive C has no label.
Volume Serial Number is 2485-CFD8

Directory of c:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 82,944 ws2_32.dll
1 File(s) 82,944 bytes

Directory of c:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 82,432 ws2_32.dll
1 File(s) 82,432 bytes

Directory of c:\WINDOWS\system32

04/13/2008 07:12 PM 82,432 ws2_32.dll
1 File(s) 82,432 bytes

Directory of c:\WINDOWS\system32\dllcache

04/13/2008 07:12 PM 82,432 ws2_32.dll
1 File(s) 82,432 bytes

Back to top of the page up there ^
MultiQuote
Reply

#24 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 10 June 2009 - 01:56 AM

Hi,

Can you upload the c:\WINDOWS\system32\ws2_32.dll to Virustotal here?
http://www.virustota.../en/indexf.html

Then post the results in your next reply.

THis one is really puzzling me since I don't see any malware traces in your log anymore and we really looked everywhere.

Also do next...

*Download WinsockFix
Place it on your desktop.
Start Winsockfix.exe and click "Reg backup"
Your current registry will be saved in the folder "ERDNT"
Then click FIX
Your system will reboot.

Back to top of the page up there ^
MultiQuote
Reply

#25 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 10 June 2009 - 08:36 AM

Here's the first one:

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.10 -
AhnLab-V3 5.0.0.2 2009.06.10 -
AntiVir 7.9.0.183 2009.06.10 -
Antiy-AVL 2.0.3.1 2009.06.10 -
Authentium 5.1.2.4 2009.06.10 -
Avast 4.8.1335.0 2009.06.09 -
AVG 8.5.0.339 2009.06.10 -
BitDefender 7.2 2009.06.10 -
CAT-QuickHeal 10.00 2009.06.10 -
ClamAV 0.94.1 2009.06.10 -
Comodo 1305 2009.06.10 -
DrWeb 5.0.0.12182 2009.06.10 -
eSafe 7.0.17.0 2009.06.10 -
eTrust-Vet 31.6.6551 2009.06.10 -
F-Prot 4.4.4.56 2009.06.10 -
F-Secure 8.0.14470.0 2009.06.10 -
Fortinet 3.117.0.0 2009.06.10 -
GData 19 2009.06.10 -
Ikarus T3.1.1.59.0 2009.06.10 -
K7AntiVirus 7.10.757 2009.06.08 -
Kaspersky 7.0.0.125 2009.06.10 -
McAfee 5641 2009.06.09 -
McAfee+Artemis 5641 2009.06.09 -
McAfee-GW-Edition 6.7.6 2009.06.10 Virus.Win32.FileInfector.gen!90 (suspicious)
Microsoft 1.4701 2009.06.10 -
NOD32 4144 2009.06.10 -
Norman 6.01.09 2009.06.09 -
nProtect 2009.1.8.0 2009.06.10 -
Panda 10.0.0.14 2009.06.09 -
PCTools 4.4.2.0 2009.06.09 -
Prevx 3.0 2009.06.10 -
Rising 21.33.24.00 2009.06.10 -
Sophos 4.42.0 2009.06.10 -
Sunbelt 3.2.1858.2 2009.06.10 -
Symantec 1.4.4.12 2009.06.10 -
TheHacker 6.3.4.3.342 2009.06.10 -
TrendMicro 8.950.0.1092 2009.06.10 -
VBA32 3.12.10.7 2009.06.10 -
ViRobot 2009.6.10.1779 2009.06.10 -
Additional information
File size: 82432 bytes
MD5...: 900ca270df587531d3323192423f2f99
SHA1..: 284ff1ba2139a0459900a630e6f413687177ff6a
SHA256: 1cc022620826b46bce55c47488787f4705645dabb9beb3985cdfa2478da5a403
ssdeep: -
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x141a1
timedatestamp.....: 0x4802a164 (Mon Apr 14 00:12:20 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 01d440a3b2d2128cf27b4e322b7ca234
.data 0x14000 0x914 0xa00 5.91 0def7c7c2c0f4f95f39bec50ad3ba989
.rsrc 0x15000 0x3f8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xdc8 0xe00 6.46 239d11cbbd5ee1de927d8b585d658322

( 5 imports )
> ADVAPI32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> KERNEL32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> WS2HELP.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle

( 117 exports )
FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
PDFiD.: -
RDS...: NSRL Reference Data Set
-

The winsockfix link didn't work and I didn't trust the search results.

This post has been edited by vespid: 10 June 2009 - 08:38 AM

Back to top of the page up there ^
MultiQuote
Reply

#26 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 10 June 2009 - 08:50 AM

Hi,

We *may have found the culprit. I mean, you could indeed be dealing with an infected/patched C:\Windows\system32\ws2_32.dll
The one in your dllcache is the same and may be also patched.

The MD5...: 900ca270df587531d3323192423f2f99 is unknown according to google and for legitimate files, it should at least give you one result.
Please do me a favour and send me the C:\Windows\system32\ws2_32.dll file
Upload it here: http://www.bleepingc...e.php?channel=8

For Winsockfix, use this link: http://majorgeeks.co..._Fix_d4372.html

Back to top of the page up there ^
MultiQuote
Reply

#27 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 10 June 2009 - 08:57 AM

I did the winsock thing and it rebooted. Should I do anything else with that?

I uploaded the file as requested. Good luck!!

This post has been edited by vespid: 10 June 2009 - 09:00 AM

Back to top of the page up there ^
MultiQuote
Reply

#28 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 10 June 2009 - 09:12 AM

Hi,

I also want to analyse the other ones, so do next please... (I really want you to do it that way so I can see which one is where):

* Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

c:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
c:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
c:\WINDOWS\system32\dllcache\ws2_32.dll

Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

It will take a bit of time to analyse and test some things, so please be patient

Back to top of the page up there ^
MultiQuote
Reply

#29 miekiemoes

Malware Expert

Group: Global Moderator
Posts: 19,932
Joined: 08-October 04

Posted 10 June 2009 - 10:38 AM

Well well, the file is indeed patched and is causing the redirects, so we need it to replace with a clean copy.
That's why I'm still waiting for the other files from you to submit so I can see which ones are clean or also infected.

Back to top of the page up there ^
MultiQuote
Reply

#30 vespid

Member

Group: Full Member
Posts: 17
Joined: 02-June 09

Posted 10 June 2009 - 11:16 AM

I had to go to work for bit.

I submitted the resulting cab file

Good luck!

vespid

Back to top of the page up there ^
MultiQuote
Reply

(3 Pages)
←
1
2
3
→

You cannot start a new topic
This topic is locked

SpywareInfo Forum: browser redirect - SpywareInfo Forum