Tech Support Forum - View Single Post - Search results being redirected in ANY web browser

Gunsmith_Cat · 11-12-2008, 01:28 PM

Okay.... I have managed to get the .exe to stick around now and have ran it, and subsequently gmer. Here is my ComboFix log result (I turned off internet security about 2 mins into it though as I thought the .exe would have disappeared if I had disabled it before running).

ComboFix 08-11-11.01 - Nat 2008-11-12 19:58:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1589 [GMT 0:00]
Running from: c:\users\Nat\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-11 16:32 . 2008-11-11 16:32 691 --a------ c:\users\Nat\AppData\Roaming\GetValue.vbs
2008-11-11 16:32 . 2008-11-11 16:32 35 --a------ c:\users\Nat\AppData\Roaming\SetValue.bat
2008-11-11 16:15 . 2008-11-11 16:32 3,602 --a------ c:\windows\System32\tmp.reg
2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\users\Nat\AppData\Roaming\Malwarebytes
2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-09 21:52 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-09 21:52 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-07 01:06 . 2008-11-07 01:06 1,724 --a------ c:\windows\System32\%LocalXml%
2008-11-06 22:10 . 2008-11-06 22:10 <DIR> d-------- C:\rsit
2008-11-06 21:52 . 2008-11-06 21:56 250 --a------ c:\windows\gmer.ini
2008-11-06 20:07 . 2008-11-06 20:07 <DIR> d-------- c:\program files\CCleaner
2008-11-06 02:38 . 2008-11-06 02:46 96,976 --a------ c:\windows\System32\drivers\klin.dat
2008-11-06 02:38 . 2008-11-06 02:38 87,855 --a------ c:\windows\System32\drivers\klick.dat
2008-11-06 02:37 . 2008-11-12 19:33 <DIR> d-------- c:\users\All Users\Kaspersky Lab
2008-11-06 02:37 . 2008-11-12 19:33 <DIR> d-------- c:\programdata\Kaspersky Lab
2008-11-06 02:37 . 2008-11-06 02:37 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-06 02:37 . 2008-11-12 20:03 3,555,360 --ahs---- c:\windows\System32\drivers\fidbox.dat
2008-11-06 02:37 . 2008-11-12 20:03 393,248 --ahs---- c:\windows\System32\drivers\fidbox2.dat
2008-11-06 02:37 . 2008-11-12 20:03 29,904 --ahs---- c:\windows\System32\drivers\fidbox.idx
2008-11-06 02:37 . 2008-11-12 20:03 2,424 --ahs---- c:\windows\System32\drivers\fidbox2.idx
2008-11-06 02:36 . 2008-11-06 02:36 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files
2008-11-06 02:36 . 2008-11-06 02:36 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files
2008-11-04 22:48 . 2008-11-04 22:48 <DIR> d-------- c:\program files\Writer's Cafe 2
2008-11-04 22:21 . 2008-11-04 22:27 <DIR> d--h----- c:\program files\Zero G Registry
2008-11-04 18:20 . 2008-11-04 18:20 <DIR> d-------- c:\program files\Common Files\PX Storage Engine
2008-11-04 18:20 . 2008-10-08 03:03 43,872 --------- c:\windows\System32\drivers\PxHelp20.sys
2008-11-04 18:20 . 2008-10-08 03:03 9,200 --------- c:\windows\System32\drivers\cdralw2k.sys
2008-11-04 18:20 . 2008-10-08 03:03 9,072 --------- c:\windows\System32\drivers\cdr4_xp.sys
2008-11-02 21:46 . 2008-11-02 21:46 <DIR> d-------- c:\users\Nat\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\users\All Users\NOS
2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\programdata\NOS
2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\program files\NOS
2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\users\Nat\AppData\Roaming\Laconic Software
2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\program files\Free Fire Screensaver
2008-11-02 21:14 . 2008-11-02 21:14 <DIR> d-------- c:\users\All Users\FLEXnet
2008-11-02 21:14 . 2008-11-02 21:14 <DIR> d-------- c:\programdata\FLEXnet
2008-11-02 21:12 . 2008-11-04 18:22 <DIR> d-------- c:\users\All Users\Adobe
2008-11-02 21:06 . 2008-11-02 21:06 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-02 21:01 . 2008-11-02 21:45 <DIR> d-------- c:\program files\Common Files\Adobe
2008-11-01 15:22 . 2008-11-01 15:22 <DIR> d-------- c:\program files\Screenplay Systems
2008-11-01 15:22 . 2008-11-02 22:23 1,109 --a------ c:\windows\PowerReg.dat
2008-11-01 15:01 . 2008-11-01 15:01 <DIR> d-------- c:\users\Nat\AppData\Roaming\Final Draft
2008-11-01 15:00 . 2008-08-05 09:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-11-01 15:00 . 2008-08-05 09:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-11-01 15:00 . 2008-08-05 09:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-11-01 15:00 . 2008-08-05 09:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-11-01 15:00 . 2008-08-05 09:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-29 23:17 . 2008-10-29 23:23 <DIR> d-------- c:\users\Nat\AppData\Roaming\Writer's Cafe 2
2008-10-29 23:15 . 2008-11-01 15:08 <DIR> d-------- c:\program files\Black Obelisk Software
2008-10-29 23:13 . 2008-11-01 14:59 <DIR> d-------- c:\users\All Users\Final Draft
2008-10-29 23:13 . 2008-11-01 14:59 <DIR> d-------- c:\programdata\Final Draft
2008-10-29 23:13 . 2008-10-29 23:13 <DIR> d-------- c:\program files\Final Draft Tagger
2008-10-29 23:13 . 2008-11-01 15:06 <DIR> d-------- c:\program files\Final Draft 7
2008-10-29 02:37 . 2008-09-12 13:32 327,192 --a------ c:\windows\System32\drivers\iaStor.sys
2008-10-28 21:53 . 2008-09-18 04:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-28 21:53 . 2008-09-18 04:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-28 21:44 . 2008-08-12 03:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-28 20:22 . 2006-10-26 19:56 32,592 --a------ c:\windows\System32\msonpmon.dll
2008-10-28 20:21 . 2008-10-28 20:21 <DIR> d-------- c:\program files\Microsoft Works
2008-10-28 20:19 . 2008-10-28 20:19 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-28 20:16 . 2008-11-01 16:08 <DIR> d-------- c:\users\All Users\Microsoft Help
2008-10-28 20:16 . 2008-11-01 16:08 <DIR> d-------- c:\programdata\Microsoft Help
2008-10-28 20:15 . 2008-10-28 20:15 <DIR> dr-h----- C:\MSOCache
2008-10-28 19:41 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2008-10-26 20:15 . 2008-10-26 20:15 <DIR> d-------- c:\users\Nat\AppData\Roaming\Media Player Classic
2008-10-26 20:10 . 2008-10-26 20:14 <DIR> d-------- c:\program files\Combined Community Codec Pack
2008-10-26 20:09 . 2008-10-26 20:09 <DIR> d-------- c:\program files\Haali
2008-10-26 20:09 . 2008-10-26 20:09 <DIR> d-------- c:\program files\CoreCodec
2008-10-26 10:41 . 2008-10-26 10:41 614,403 --a------ c:\windows\BsSnap.pre
2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\users\Nat\AppData\Roaming\Games
2008-10-20 15:16 . 2005-05-26 14:34 2,297,552 --a------ c:\windows\System32\d3dx9_26.dll
2008-10-20 00:22 . 2008-10-20 00:22 <DIR> d-------- c:\users\All Users\Blizzard
2008-10-20 00:22 . 2008-10-20 00:22 <DIR> d-------- c:\programdata\Blizzard
2008-10-19 21:15 . 2008-10-02 01:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-19 21:15 . 2008-10-02 03:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-19 21:04 . 2007-11-14 14:18 553 --a------ c:\windows\USetup.iss
2008-10-19 20:37 . 2008-10-19 20:37 <DIR> d-------- c:\windows\System32\AGEIA
2008-10-19 20:37 . 2008-10-29 23:12 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-19 20:37 . 2008-10-19 20:37 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-19 19:59 . 2008-09-18 05:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-19 19:59 . 2008-09-18 05:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-19 19:15 . 2008-09-18 02:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-19 19:14 . 2008-08-27 01:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-10-19 09:55 . 2008-10-19 09:55 <DIR> d-------- c:\users\Nat\AppData\Roaming\Lionhead Studios
2008-10-15 17:19 . 2008-10-15 17:19 <DIR> d-------- c:\program files\Common Files\Intel
2008-10-15 17:19 . 2008-10-15 17:19 <DIR> d-------- c:\program files\Cisco
2008-10-13 22:43 . 2008-10-13 22:43 <DIR> d-------- c:\users\All Users\SteamPopCapv1005
2008-10-13 22:43 . 2008-10-13 22:55 <DIR> d-------- c:\users\All Users\PopCap Games
2008-10-13 22:43 . 2008-10-13 22:43 <DIR> d-------- c:\programdata\SteamPopCapv1005
2008-10-13 22:43 . 2008-10-13 22:55 <DIR> d-------- c:\programdata\PopCap Games
2008-10-13 21:22 . 2008-10-13 21:22 <DIR> d-------- c:\users\All Users\2DBoy
2008-10-13 21:22 . 2008-10-13 21:22 <DIR> d-------- c:\programdata\2DBoy
2008-10-12 22:24 . 2008-10-12 22:24 <DIR> d-------- c:\program files\Activision
2008-10-12 16:03 . 2008-11-09 12:52 <DIR> d-------- c:\program files\Steam
2008-10-12 16:03 . 2008-11-09 12:31 <DIR> d-------- c:\program files\Common Files\Steam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 18:09 --------- d-----w c:\program files\World of Warcraft
2008-11-09 13:14 77,633 ----a-w c:\users\All Users\nvModes.dat
2008-11-09 13:14 77,633 ----a-w c:\programdata\nvModes.dat
2008-11-02 22:21 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-20 18:01 --------- d-----w c:\program files\Windows Mail
2008-10-19 21:03 319,456 ----a-w c:\windows\DIFxAPI.dll
2008-10-19 21:03 --------- d--h--w c:\program files\Temp
2008-10-15 17:19 --------- d-----w c:\program files\Intel
2008-10-13 17:34 862,240 ----a-w c:\windows\System32\RtkPgExt.dll
2008-10-13 17:34 44,064 ----a-w c:\windows\System32\RtkCoInst.dll
2008-10-13 17:34 322,080 ----a-w c:\windows\System32\RtkApoApi.dll
2008-10-13 17:34 2,346,016 ----a-w c:\windows\System32\RtkAPO.dll
2008-10-13 17:28 2,176,856 ----a-w c:\windows\system32\drivers\RTKVHDA.sys
2008-10-12 21:21 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-11 20:35 --------- d-----w c:\users\Nat\AppData\Roaming\Logitech
2008-10-11 20:35 --------- d-----w c:\programdata\LogiShrd
2008-10-11 20:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-10-11 20:34 --------- d-----w c:\programdata\Logitech
2008-10-11 20:34 --------- d-----w c:\program files\Logitech
2008-10-11 20:34 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-11 20:16 --------- d-----w c:\program files\Windows Live
2008-10-11 20:15 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-10-11 20:13 --------- d-----w c:\programdata\WLInstaller
2008-10-11 19:39 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-10-07 22:26 --------- d-----w c:\program files\Realtek
2008-10-07 20:27 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-10-07 20:22 --------- d-----w c:\programdata\PC Drivers HeadQuarters
2008-10-07 19:07 --------- d-----w c:\program files\DIFX
2008-10-07 18:54 --------- d-----w c:\program files\Protector Suite QL
2008-10-07 18:53 --------- d-----w c:\programdata\UIB
2008-10-07 18:43 --------- d-----w c:\users\Nat\AppData\Roaming\Intel
2008-10-07 18:43 --------- d-----w c:\programdata\Roaming
2008-10-07 18:42 --------- d-----w c:\programdata\Intel
2008-10-07 18:31 --------- d-----w c:\program files\Hotkey
2008-10-07 18:21 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-10-07 18:21 --------- d-----w c:\program files\Synaptics
2008-10-07 18:19 --------- d-----w c:\users\Nat\AppData\Roaming\InstallShield
2008-10-07 18:17 --------- d-----w c:\program files\Motorola
2008-10-07 18:10 --------- d-----w c:\programdata\NVIDIA
2008-10-07 17:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-10-04 01:17 133,120 ----a-w c:\windows\system32\drivers\Rtlh86.sys
2008-09-10 16:41 47,104 ----a-w c:\windows\System32\ctppld.dll
2008-09-10 16:39 497,152 ----a-w c:\windows\System32\CTAPO32.dll
2008-09-10 01:29 453,152 ----a-w c:\windows\System32\NVUNINST.EXE
2008-08-25 15:17 528,384 ----a-w c:\windows\RtlExUpd.dll
2008-08-15 10:49 2,255,144 ----a-w c:\windows\Free Fire Screensaver.scr
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 14:35 2957312 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 14:35 2957312 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-06 133104]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-19 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-19 92704]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"HotkeyOSD Software"="c:\program files\Hotkey\HotKey.exe" [2008-07-16 1351680]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-10-13 6335008]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-10-13 1833504]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-11 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-05 22:03 90112 c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll,c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll,c:\progra~1\KASPER~1\KASPER~1\adialhk.dll,c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-11-06 21:02 133104 c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649147853-2438116765-369401869-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{85338FD4-9566-4404-BE07-8CCEF0AF8486}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{079FFED1-20B1-43B6-BB35-CAD3186577C5}"= UDP:c:\program files\World of Warcraft\Launcher.exe:World of Warcraft
"{8973D5F4-F5A2-4496-A607-6067945F4F06}"= TCP:c:\program files\World of Warcraft\Launcher.exe:World of Warcraft
"{9A2503BE-B4A4-49F3-923C-06B2F401F6BF}"= UDP:6112:Blizzard Downloader: 6112
"TCP Query User{0BF77495-979A-4946-9405-06C0FEAC0AD5}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{36024061-854E-4986-8BEE-256B42E4412F}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{64DCAC84-6B47-4850-BE8F-C3DA11BD930A}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2
"UDP Query User{609B6F00-1450-4053-B178-6DD6ADE23974}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2
"TCP Query User{77AAF7CB-ABF2-43E5-9F79-F9F6BE913485}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2DB38E29-2524-401B-A929-50A0FF8EC5D1}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{92F04DAE-9B0A-45EA-B503-CDC75907D58F}c:\\program files\\steam\\steamapps\\jellysheep\\garrysmod\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\garrysmod\hl2.exe:hl2
"UDP Query User{37A5C32E-0247-45EC-993F-9C421E599316}c:\\program files\\steam\\steamapps\\jellysheep\\garrysmod\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\garrysmod\hl2.exe:hl2
"TCP Query User{47B8704F-CF67-4432-918C-AB4932849028}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2
"UDP Query User{2E61ED55-44CE-4952-B406-64B8B085DC65}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2
"{6059FAC7-2EDB-42A8-8665-2A14A4BB325F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{D37B6727-B567-482A-8731-5591126C0606}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EBECA0F9-CF63-4A42-BCC1-B30B784519A5}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F87B3307-9B0C-4025-BD78-08B23801B621}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5C85B05F-4134-4266-95EB-E6FFE4BC6A43}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-07-09 20496]
R2 PowerBiosServer;PowerBiosServer;c:\program files\Hotkey\PowerBiosServer.exe [2008-07-10 36864]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-04-11 84240]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848]
S3 Steam Client Service;Steam Client Service;c:\program files\Common Files\Steam\SteamService.exe [2008-11-09 99576]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-21 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-06 21:02]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\1n8n69hf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
FF -: plugin - c:\users\Nat\AppData\Local\Google\Update\1.2.131.27\npGoogleOneClick6.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 20:05:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Protector Suite QL\upeksvr.exe
c:\windows\System32\wlanext.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\System32\rundll32.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-11-12 20:08:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 20:08:20

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 210,485,506,048 bytes free

297 --- E O F --- 2008-11-09 10:01:22

11-12-2008, 01:28 PM	#7 (permalink)
Gunsmith_Cat Registered User Join Date: Nov 2008 Posts: 20 OS: Windows Vista x64 SP1	Re: Search results being redirected in ANY web browser Okay.... I have managed to get the .exe to stick around now and have ran it, and subsequently gmer. Here is my ComboFix log result (I turned off internet security about 2 mins into it though as I thought the .exe would have disappeared if I had disabled it before running). ComboFix 08-11-11.01 - Nat 2008-11-12 19:58:51.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1589 [GMT 0:00] Running from: c:\users\Nat\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 ))))))))))))))))))))))))))))))) . 2008-11-11 16:32 . 2008-11-11 16:32 691 --a------ c:\users\Nat\AppData\Roaming\GetValue.vbs 2008-11-11 16:32 . 2008-11-11 16:32 35 --a------ c:\users\Nat\AppData\Roaming\SetValue.bat 2008-11-11 16:15 . 2008-11-11 16:32 3,602 --a------ c:\windows\System32\tmp.reg 2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\users\Nat\AppData\Roaming\Malwarebytes 2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\users\All Users\Malwarebytes 2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\programdata\Malwarebytes 2008-11-09 21:52 . 2008-11-09 21:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-09 21:52 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys 2008-11-09 21:52 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys 2008-11-07 01:06 . 2008-11-07 01:06 1,724 --a------ c:\windows\System32\%LocalXml% 2008-11-06 22:10 . 2008-11-06 22:10 <DIR> d-------- C:\rsit 2008-11-06 21:52 . 2008-11-06 21:56 250 --a------ c:\windows\gmer.ini 2008-11-06 20:07 . 2008-11-06 20:07 <DIR> d-------- c:\program files\CCleaner 2008-11-06 02:38 . 2008-11-06 02:46 96,976 --a------ c:\windows\System32\drivers\klin.dat 2008-11-06 02:38 . 2008-11-06 02:38 87,855 --a------ c:\windows\System32\drivers\klick.dat 2008-11-06 02:37 . 2008-11-12 19:33 <DIR> d-------- c:\users\All Users\Kaspersky Lab 2008-11-06 02:37 . 2008-11-12 19:33 <DIR> d-------- c:\programdata\Kaspersky Lab 2008-11-06 02:37 . 2008-11-06 02:37 <DIR> d-------- c:\program files\Kaspersky Lab 2008-11-06 02:37 . 2008-11-12 20:03 3,555,360 --ahs---- c:\windows\System32\drivers\fidbox.dat 2008-11-06 02:37 . 2008-11-12 20:03 393,248 --ahs---- c:\windows\System32\drivers\fidbox2.dat 2008-11-06 02:37 . 2008-11-12 20:03 29,904 --ahs---- c:\windows\System32\drivers\fidbox.idx 2008-11-06 02:37 . 2008-11-12 20:03 2,424 --ahs---- c:\windows\System32\drivers\fidbox2.idx 2008-11-06 02:36 . 2008-11-06 02:36 <DIR> d-------- c:\users\All Users\Kaspersky Lab Setup Files 2008-11-06 02:36 . 2008-11-06 02:36 <DIR> d-------- c:\programdata\Kaspersky Lab Setup Files 2008-11-04 22:48 . 2008-11-04 22:48 <DIR> d-------- c:\program files\Writer's Cafe 2 2008-11-04 22:21 . 2008-11-04 22:27 <DIR> d--h----- c:\program files\Zero G Registry 2008-11-04 18:20 . 2008-11-04 18:20 <DIR> d-------- c:\program files\Common Files\PX Storage Engine 2008-11-04 18:20 . 2008-10-08 03:03 43,872 --------- c:\windows\System32\drivers\PxHelp20.sys 2008-11-04 18:20 . 2008-10-08 03:03 9,200 --------- c:\windows\System32\drivers\cdralw2k.sys 2008-11-04 18:20 . 2008-10-08 03:03 9,072 --------- c:\windows\System32\drivers\cdr4_xp.sys 2008-11-02 21:46 . 2008-11-02 21:46 <DIR> d-------- c:\users\Nat\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\users\All Users\NOS 2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\programdata\NOS 2008-11-02 21:42 . 2008-11-02 22:13 <DIR> d-------- c:\program files\NOS 2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\users\Nat\AppData\Roaming\Laconic Software 2008-11-02 21:18 . 2008-11-02 21:18 <DIR> d-------- c:\program files\Free Fire Screensaver 2008-11-02 21:14 . 2008-11-02 21:14 <DIR> d-------- c:\users\All Users\FLEXnet 2008-11-02 21:14 . 2008-11-02 21:14 <DIR> d-------- c:\programdata\FLEXnet 2008-11-02 21:12 . 2008-11-04 18:22 <DIR> d-------- c:\users\All Users\Adobe 2008-11-02 21:06 . 2008-11-02 21:06 <DIR> d-------- c:\program files\Common Files\Macrovision Shared 2008-11-02 21:01 . 2008-11-02 21:45 <DIR> d-------- c:\program files\Common Files\Adobe 2008-11-01 15:22 . 2008-11-01 15:22 <DIR> d-------- c:\program files\Screenplay Systems 2008-11-01 15:22 . 2008-11-02 22:23 1,109 --a------ c:\windows\PowerReg.dat 2008-11-01 15:01 . 2008-11-01 15:01 <DIR> d-------- c:\users\Nat\AppData\Roaming\Final Draft 2008-11-01 15:00 . 2008-08-05 09:49 428,544 --a------ c:\windows\System32\EncDec.dll 2008-11-01 15:00 . 2008-08-05 09:49 293,376 --a------ c:\windows\System32\psisdecd.dll 2008-11-01 15:00 . 2008-08-05 09:48 217,088 --a------ c:\windows\System32\psisrndr.ax 2008-11-01 15:00 . 2008-08-05 09:48 177,664 --a------ c:\windows\System32\mpg2splt.ax 2008-11-01 15:00 . 2008-08-05 09:48 80,896 --a------ c:\windows\System32\MSNP.ax 2008-10-29 23:17 . 2008-10-29 23:23 <DIR> d-------- c:\users\Nat\AppData\Roaming\Writer's Cafe 2 2008-10-29 23:15 . 2008-11-01 15:08 <DIR> d-------- c:\program files\Black Obelisk Software 2008-10-29 23:13 . 2008-11-01 14:59 <DIR> d-------- c:\users\All Users\Final Draft 2008-10-29 23:13 . 2008-11-01 14:59 <DIR> d-------- c:\programdata\Final Draft 2008-10-29 23:13 . 2008-10-29 23:13 <DIR> d-------- c:\program files\Final Draft Tagger 2008-10-29 23:13 . 2008-11-01 15:06 <DIR> d-------- c:\program files\Final Draft 7 2008-10-29 02:37 . 2008-09-12 13:32 327,192 --a------ c:\windows\System32\drivers\iaStor.sys 2008-10-28 21:53 . 2008-09-18 04:56 147,456 --a------ c:\windows\System32\Faultrep.dll 2008-10-28 21:53 . 2008-09-18 04:56 125,952 --a------ c:\windows\System32\wersvc.dll 2008-10-28 21:44 . 2008-08-12 03:39 443,392 --a------ c:\windows\System32\win32spl.dll 2008-10-28 20:22 . 2006-10-26 19:56 32,592 --a------ c:\windows\System32\msonpmon.dll 2008-10-28 20:21 . 2008-10-28 20:21 <DIR> d-------- c:\program files\Microsoft Works 2008-10-28 20:19 . 2008-10-28 20:19 <DIR> d-------- c:\program files\Microsoft.NET 2008-10-28 20:16 . 2008-11-01 16:08 <DIR> d-------- c:\users\All Users\Microsoft Help 2008-10-28 20:16 . 2008-11-01 16:08 <DIR> d-------- c:\programdata\Microsoft Help 2008-10-28 20:15 . 2008-10-28 20:15 <DIR> dr-h----- C:\MSOCache 2008-10-28 19:41 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe 2008-10-26 20:15 . 2008-10-26 20:15 <DIR> d-------- c:\users\Nat\AppData\Roaming\Media Player Classic 2008-10-26 20:10 . 2008-10-26 20:14 <DIR> d-------- c:\program files\Combined Community Codec Pack 2008-10-26 20:09 . 2008-10-26 20:09 <DIR> d-------- c:\program files\Haali 2008-10-26 20:09 . 2008-10-26 20:09 <DIR> d-------- c:\program files\CoreCodec 2008-10-26 10:41 . 2008-10-26 10:41 614,403 --a------ c:\windows\BsSnap.pre 2008-10-20 15:18 . 2008-10-20 15:18 <DIR> d-------- c:\users\Nat\AppData\Roaming\Games 2008-10-20 15:16 . 2005-05-26 14:34 2,297,552 --a------ c:\windows\System32\d3dx9_26.dll 2008-10-20 00:22 . 2008-10-20 00:22 <DIR> d-------- c:\users\All Users\Blizzard 2008-10-20 00:22 . 2008-10-20 00:22 <DIR> d-------- c:\programdata\Blizzard 2008-10-19 21:15 . 2008-10-02 01:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb 2008-10-19 21:15 . 2008-10-02 03:49 827,392 --a------ c:\windows\System32\wininet.dll 2008-10-19 21:04 . 2007-11-14 14:18 553 --a------ c:\windows\USetup.iss 2008-10-19 20:37 . 2008-10-19 20:37 <DIR> d-------- c:\windows\System32\AGEIA 2008-10-19 20:37 . 2008-10-29 23:12 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-10-19 20:37 . 2008-10-19 20:37 <DIR> d-------- c:\program files\AGEIA Technologies 2008-10-19 19:59 . 2008-09-18 05:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe 2008-10-19 19:59 . 2008-09-18 05:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe 2008-10-19 19:15 . 2008-09-18 02:16 2,032,640 --a------ c:\windows\System32\win32k.sys 2008-10-19 19:14 . 2008-08-27 01:06 288,768 --a------ c:\windows\System32\drivers\srv.sys 2008-10-19 09:55 . 2008-10-19 09:55 <DIR> d-------- c:\users\Nat\AppData\Roaming\Lionhead Studios 2008-10-15 17:19 . 2008-10-15 17:19 <DIR> d-------- c:\program files\Common Files\Intel 2008-10-15 17:19 . 2008-10-15 17:19 <DIR> d-------- c:\program files\Cisco 2008-10-13 22:43 . 2008-10-13 22:43 <DIR> d-------- c:\users\All Users\SteamPopCapv1005 2008-10-13 22:43 . 2008-10-13 22:55 <DIR> d-------- c:\users\All Users\PopCap Games 2008-10-13 22:43 . 2008-10-13 22:43 <DIR> d-------- c:\programdata\SteamPopCapv1005 2008-10-13 22:43 . 2008-10-13 22:55 <DIR> d-------- c:\programdata\PopCap Games 2008-10-13 21:22 . 2008-10-13 21:22 <DIR> d-------- c:\users\All Users\2DBoy 2008-10-13 21:22 . 2008-10-13 21:22 <DIR> d-------- c:\programdata\2DBoy 2008-10-12 22:24 . 2008-10-12 22:24 <DIR> d-------- c:\program files\Activision 2008-10-12 16:03 . 2008-11-09 12:52 <DIR> d-------- c:\program files\Steam 2008-10-12 16:03 . 2008-11-09 12:31 <DIR> d-------- c:\program files\Common Files\Steam . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-11 18:09 --------- d-----w c:\program files\World of Warcraft 2008-11-09 13:14 77,633 ----a-w c:\users\All Users\nvModes.dat 2008-11-09 13:14 77,633 ----a-w c:\programdata\nvModes.dat 2008-11-02 22:21 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-20 18:01 --------- d-----w c:\program files\Windows Mail 2008-10-19 21:03 319,456 ----a-w c:\windows\DIFxAPI.dll 2008-10-19 21:03 --------- d--h--w c:\program files\Temp 2008-10-15 17:19 --------- d-----w c:\program files\Intel 2008-10-13 17:34 862,240 ----a-w c:\windows\System32\RtkPgExt.dll 2008-10-13 17:34 44,064 ----a-w c:\windows\System32\RtkCoInst.dll 2008-10-13 17:34 322,080 ----a-w c:\windows\System32\RtkApoApi.dll 2008-10-13 17:34 2,346,016 ----a-w c:\windows\System32\RtkAPO.dll 2008-10-13 17:28 2,176,856 ----a-w c:\windows\system32\drivers\RTKVHDA.sys 2008-10-12 21:21 --------- d-----w c:\program files\Common Files\InstallShield 2008-10-11 20:35 --------- d-----w c:\users\Nat\AppData\Roaming\Logitech 2008-10-11 20:35 --------- d-----w c:\programdata\LogiShrd 2008-10-11 20:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2008-10-11 20:34 --------- d-----w c:\programdata\Logitech 2008-10-11 20:34 --------- d-----w c:\program files\Logitech 2008-10-11 20:34 --------- d-----w c:\program files\Common Files\Logishrd 2008-10-11 20:16 --------- d-----w c:\program files\Windows Live 2008-10-11 20:15 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller 2008-10-11 20:13 --------- d-----w c:\programdata\WLInstaller 2008-10-11 19:39 --------- d-----w c:\program files\Common Files\Blizzard Entertainment 2008-10-07 22:26 --------- d-----w c:\program files\Realtek 2008-10-07 20:27 --------- d-----w c:\program files\PC Drivers HeadQuarters 2008-10-07 20:22 --------- d-----w c:\programdata\PC Drivers HeadQuarters 2008-10-07 19:07 --------- d-----w c:\program files\DIFX 2008-10-07 18:54 --------- d-----w c:\program files\Protector Suite QL 2008-10-07 18:53 --------- d-----w c:\programdata\UIB 2008-10-07 18:43 --------- d-----w c:\users\Nat\AppData\Roaming\Intel 2008-10-07 18:43 --------- d-----w c:\programdata\Roaming 2008-10-07 18:42 --------- d-----w c:\programdata\Intel 2008-10-07 18:31 --------- d-----w c:\program files\Hotkey 2008-10-07 18:21 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf 2008-10-07 18:21 --------- d-----w c:\program files\Synaptics 2008-10-07 18:19 --------- d-----w c:\users\Nat\AppData\Roaming\InstallShield 2008-10-07 18:17 --------- d-----w c:\program files\Motorola 2008-10-07 18:10 --------- d-----w c:\programdata\NVIDIA 2008-10-07 17:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf 2008-10-04 01:17 133,120 ----a-w c:\windows\system32\drivers\Rtlh86.sys 2008-09-10 16:41 47,104 ----a-w c:\windows\System32\ctppld.dll 2008-09-10 16:39 497,152 ----a-w c:\windows\System32\CTAPO32.dll 2008-09-10 01:29 453,152 ----a-w c:\windows\System32\NVUNINST.EXE 2008-08-25 15:17 528,384 ----a-w c:\windows\RtlExUpd.dll 2008-08-15 10:49 2,255,144 ----a-w c:\windows\Free Fire Screensaver.scr 2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2007-09-10 14:35 2957312 --a------ c:\program files\Protector Suite QL\farchns.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2007-09-10 14:35 2957312 --a------ c:\program files\Protector Suite QL\farchns.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "Google Update"="c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-06 133104] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-19 13543968] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-19 92704] "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416] "HotkeyOSD Software"="c:\program files\Hotkey\HotKey.exe" [2008-07-16 1351680] "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824] "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248] "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-09-12 182808] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-10-13 6335008] "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-10-13 1833504] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-11 805392] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus] 2007-06-05 22:03 90112 c:\windows\System32\psqlpwd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll,c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll,c:\progra~1\KASPER~1\KASPER~1\adialhk.dll,c:\progra~1\KASPER~1\KASPER~1\kloehk.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli psqlpwd [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] --a----t- 2008-11-06 21:02 133104 c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] --a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"="0x00000000" "UpdatesDisableNotify"="0x00000000" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2649147853-2438116765-369401869-1000] "EnableNotifications"=dword:00000001 "EnableNotificationsRef"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{85338FD4-9566-4404-BE07-8CCEF0AF8486}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{079FFED1-20B1-43B6-BB35-CAD3186577C5}"= UDP:c:\program files\World of Warcraft\Launcher.exe:World of Warcraft "{8973D5F4-F5A2-4496-A607-6067945F4F06}"= TCP:c:\program files\World of Warcraft\Launcher.exe:World of Warcraft "{9A2503BE-B4A4-49F3-923C-06B2F401F6BF}"= UDP:6112:Blizzard Downloader: 6112 "TCP Query User{0BF77495-979A-4946-9405-06C0FEAC0AD5}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader "UDP Query User{36024061-854E-4986-8BEE-256B42E4412F}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader "TCP Query User{64DCAC84-6B47-4850-BE8F-C3DA11BD930A}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2 "UDP Query User{609B6F00-1450-4053-B178-6DD6ADE23974}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2 "TCP Query User{77AAF7CB-ABF2-43E5-9F79-F9F6BE913485}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "UDP Query User{2DB38E29-2524-401B-A929-50A0FF8EC5D1}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer "TCP Query User{92F04DAE-9B0A-45EA-B503-CDC75907D58F}c:\\program files\\steam\\steamapps\\jellysheep\\garrysmod\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\garrysmod\hl2.exe:hl2 "UDP Query User{37A5C32E-0247-45EC-993F-9C421E599316}c:\\program files\\steam\\steamapps\\jellysheep\\garrysmod\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\garrysmod\hl2.exe:hl2 "TCP Query User{47B8704F-CF67-4432-918C-AB4932849028}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= UDP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2 "UDP Query User{2E61ED55-44CE-4952-B406-64B8B085DC65}c:\\program files\\steam\\steamapps\\jellysheep\\zombie panic! source\\hl2.exe"= TCP:c:\program files\steam\steamapps\jellysheep\zombie panic! source\hl2.exe:hl2 "{6059FAC7-2EDB-42A8-8665-2A14A4BB325F}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{D37B6727-B567-482A-8731-5591126C0606}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{EBECA0F9-CF63-4A42-BCC1-B30B784519A5}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{F87B3307-9B0C-4025-BD78-08B23801B621}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{5C85B05F-4134-4266-95EB-E6FFE4BC6A43}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-07-09 20496] R2 PowerBiosServer;PowerBiosServer;c:\program files\Hotkey\PowerBiosServer.exe [2008-07-10 36864] R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-04-11 84240] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-06-26 3662848] S3 Steam Client Service;Steam Client Service;c:\program files\Common Files\Steam\SteamService.exe [2008-11-09 99576] S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-21 6656] S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-21 386616] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ . Contents of the 'Scheduled Tasks' folder 2008-11-07 c:\windows\Tasks\GoogleUpdateTaskUser.job - c:\users\Nat\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-06 21:02] . . ------- Supplementary Scan ------- . FireFox -: Profile - c:\users\Nat\AppData\Roaming\Mozilla\Firefox\Profiles\1n8n69hf.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/ FF -: plugin - c:\users\Nat\AppData\Local\Google\Update\1.2.131.27\npGoogleOneClick6.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-12 20:05:16 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\System32\nvvsvc.exe c:\windows\System32\audiodg.exe c:\windows\System32\rundll32.exe c:\program files\Protector Suite QL\upeksvr.exe c:\windows\System32\wlanext.exe c:\program files\Intel\WiFi\bin\EvtEng.exe c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\System32\rundll32.exe c:\program files\Protector Suite QL\psqltray.exe c:\windows\ehome\ehmsas.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\Synaptics\SynTP\SynTPHelper.exe c:\windows\System32\wbem\WMIADAP.exe . ************************************************************************ . Completion time: 2008-11-12 20:08:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-12 20:08:20 Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application. Post-Run: 210,485,506,048 bytes free 297 --- E O F --- 2008-11-09 10:01:22