google redirect..

[smeezekitty]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

i dont mean to question you ef
but why?

[onion]

ComboFix 09-09-02.02 - Customer 09/02/2009 21:18.1.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2928 [GMT -5:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\driver
c:\windows\Installer\99310b7.msp
c:\windows\Installer\99310c8.msp
c:\windows\system32\BReWErS.dll
c:\windows\system32\drivers\SKYNETrvlsotna.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\SKYNETdlvcctpi.dll
c:\windows\system32\SKYNETkkjdxmqh.dat
c:\windows\system32\SKYNEToybfmoxj.dll
c:\windows\system32\SKYNETxduyvymr.dat


c:\windows\system32\proquota.exe . . . is missing!!

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETpkrobqtl
-------\Legacy_SKYNETpkrobqtl
-------\Legacy_TDSSSERV.SYS
-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV


(((((((((((((((((((((((((   Files Created from 2009-08-03 to 2009-09-03  )))))))))))))))))))))))))))))))
.

2009-09-03 01:50 . 2009-09-03 01:50   --------   d-----w-   C:\_OTL
2009-09-02 23:16 . 2009-07-28 21:33   55656   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-09-02 23:16 . 2009-03-30 15:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-09-02 23:16 . 2009-02-13 17:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-09-02 23:16 . 2009-02-13 17:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-09-02 23:16 . 2009-09-02 23:16   --------   d-----w-   c:\program files\Avira
2009-09-02 23:16 . 2009-09-02 23:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2009-08-30 16:20 . 2009-08-30 16:20   --------   d-----w-   c:\documents and settings\Customer\Application Data\Software Defender
2009-08-30 16:08 . 2009-08-30 20:20   --------   d-----w-   C:\GameCommanderPro
2009-08-30 16:08 . 2009-08-30 16:08   --------   d-----w-   c:\program files\GameCommanderPro
2009-08-30 06:07 . 2009-08-30 06:07   272   ----a-w-   c:\windows\system32\drivers\sfi.dat
2009-08-30 06:04 . 2009-08-30 06:38   --------   d-----w-   c:\program files\COMODO
2009-08-29 02:46 . 2009-08-29 02:46   --------   d-----w-   c:\program files\ERUNT
2009-08-28 22:21 . 2009-08-28 22:21   120   ----a-w-   c:\documents and settings\Guest\Local Settings\Application Data\Qyinag.dat
2009-08-28 22:15 . 2009-08-28 22:15   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\{24CA42D1-2CBF-4A3B-BDC8-8C983CEBC299}
2009-08-28 20:57 . 2009-08-29 02:07   120   ----a-w-   c:\windows\Qyinag.dat
2009-08-26 22:29 . 2009-08-26 22:29   --------   d-----w-   c:\program files\Electronic Arts
2009-08-26 21:16 . 2009-08-30 06:05   --------   d-----w-   c:\program files\Lavasoft
2009-08-26 21:16 . 2009-08-26 21:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-20 01:57 . 2009-08-20 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-18 22:15 . 2009-08-18 22:21   --------   d-----w-   c:\program files\IDoser v4
2009-08-15 07:12 . 2009-08-15 07:12   --------   d-----w-   c:\program files\JAP
2009-08-14 01:04 . 2009-08-15 05:37   45344   ----a-w-   c:\windows\system32\drivers\tnpfb81.sys
2009-08-14 01:04 . 2009-08-14 01:04   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 10:49 . 2009-06-12 12:31   80896   ------w-   c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 10:49 . 2009-06-12 12:31   76288   ------w-   c:\windows\system32\dllcache\telnet.exe
2009-08-12 10:49 . 2009-06-10 06:14   132096   ------w-   c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 10:48 . 2009-06-10 14:13   84992   ------w-   c:\windows\system32\dllcache\avifil32.dll
2009-08-12 10:48 . 2009-07-17 19:01   58880   ------w-   c:\windows\system32\dllcache\atl.dll
2009-08-12 10:48 . 2009-08-05 09:01   204800   ------w-   c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 10:38 . 2009-07-10 13:27   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 20:28 . 2009-03-21 20:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-09-01 02:03 . 2008-11-21 22:54   --------   d-----w-   c:\documents and settings\Customer\Application Data\LimeWire
2009-08-31 20:35 . 2008-05-03 00:28   --------   d-----w-   c:\documents and settings\Customer\Application Data\uTorrent
2009-08-31 20:35 . 2009-04-29 01:03   --------   d-----w-   c:\program files\World of Warcraft
2009-08-31 04:20 . 2008-11-20 05:05   --------   d-----w-   c:\program files\Defraggler
2009-08-29 02:33 . 2009-05-15 18:52   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-08-18 22:33 . 2008-04-04 04:22   --------   d-----w-   c:\program files\LimeWire
2009-08-15 07:09 . 2009-06-09 22:13   --------   d-----w-   c:\documents and settings\Customer\Application Data\Mumble
2009-08-14 01:07 . 2008-11-20 04:15   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2004-08-12 06:00   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-08-03 23:41 . 2009-08-03 05:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-08-03 18:36 . 2008-11-20 04:15   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-11-20 04:15   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-03 06:57 . 2009-08-03 05:53   --------   d-----w-   c:\documents and settings\Customer\Application Data\Music Editor Free
2009-08-03 06:39 . 2009-08-03 05:47   --------   d-----w-   c:\program files\NOS
2009-08-03 05:53 . 2009-08-03 05:53   --------   d-----w-   c:\program files\Music Editor Free
2009-08-03 01:22 . 2009-08-03 01:22   --------   d-----w-   c:\documents and settings\Customer\Application Data\Nero
2009-08-03 01:21 . 2009-08-03 01:21   --------   d-----w-   c:\program files\Common Files\Nero
2009-08-03 01:21 . 2009-03-06 23:21   --------   d-----w-   c:\program files\Nero
2009-08-03 01:21 . 2009-08-03 01:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nero
2009-07-31 08:46 . 2009-07-31 08:46   --------   d-----w-   c:\documents and settings\Guest\Application Data\SteelSeries
2009-07-31 02:04 . 2009-07-30 22:13   25   ----a-w-   c:\windows\popcinfot.dat
2009-07-30 22:12 . 2009-07-30 22:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-30 22:12 . 2009-07-30 08:04   --------   d-----w-   c:\program files\PopCap Games
2009-07-30 06:54 . 2009-07-30 06:54   --------   d-----w-   c:\program files\iTunes
2009-07-30 06:54 . 2009-07-30 06:54   --------   d-----w-   c:\program files\iPod
2009-07-30 06:54 . 2008-04-03 23:32   --------   d-----w-   c:\program files\Common Files\Apple
2009-07-30 06:19 . 2009-07-30 06:19   --------   d-----w-   c:\documents and settings\Customer\Application Data\SteelSeries
2009-07-30 06:19 . 2009-07-30 06:19   --------   d-----w-   c:\program files\SteelSeries
2009-07-30 06:19 . 2008-04-02 19:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-07-19 20:03 . 2009-07-19 20:03   --------   d-----w-   c:\program files\EVGA Precision
2009-07-19 10:20 . 2009-07-19 10:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\PassMark
2009-07-19 09:44 . 2008-04-04 06:42   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-19 09:08 . 2009-05-01 22:52   --------   d-----w-   c:\program files\Pando Networks
2009-07-19 02:32 . 2009-07-19 02:32   --------   d-----w-   c:\program files\Alex Feinman
2009-07-17 19:01 . 2004-08-12 06:00   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-16 09:32 . 2009-05-21 06:07   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2009-07-13 15:08 . 2004-08-12 06:00   286720   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-07-12 20:59 . 2009-06-17 20:23   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-07-10 21:21 . 2009-07-09 19:20   --------   d-----w-   c:\program files\World of Warcraft Public Test
2009-07-09 19:40 . 2009-05-01 22:54   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2009-07-03 17:09 . 2007-04-24 19:05   915456   ----a-w-   c:\windows\system32\wininet.dll
2009-06-21 13:46 . 2008-04-02 19:11   485920   ----a-w-   c:\windows\system32\NVUNINST.EXE
2009-06-16 14:36 . 2007-04-24 19:05   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2007-04-24 19:03   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-12 06:00   80896   ----a-w-   c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-05-10 17:51   76288   ----a-w-   c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-04-03 08:56   2066432   ----a-w-   c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 06:00   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-06-10 13:28 . 2009-06-10 13:28   3510272   ----a-w-   c:\windows\system32\nvgames.dll
2009-06-10 13:28 . 2009-06-10 13:28   4022272   ----a-w-   c:\windows\system32\nvdisps.dll
2009-06-10 13:28 . 2009-06-10 13:28   86016   ----a-w-   c:\windows\system32\nvmctray.dll
2009-06-10 13:28 . 2009-06-10 13:28   168004   ----a-w-   c:\windows\system32\nvsvc32.exe
2009-06-10 13:28 . 2009-06-10 13:28   143360   ----a-w-   c:\windows\system32\nvcolor.exe
2009-06-10 13:28 . 2009-06-10 13:28   13758464   ----a-w-   c:\windows\system32\nvcpl.dll
2009-06-10 13:28 . 2009-06-10 13:28   229376   ----a-w-   c:\windows\system32\nvmccs.dll
2009-06-10 11:03 . 2009-06-10 11:03   1580550   ----a-w-   c:\windows\system32\nvdata.bin
2009-06-10 11:03 . 2009-06-10 11:03   1310720   ----a-w-   c:\windows\system32\nvcuvenc.dll
2009-06-10 11:03 . 2009-03-27 15:03   671744   ----a-w-   c:\windows\system32\nvcuvid.dll
2009-06-10 11:03 . 2008-12-25 16:08   9998336   ----a-w-   c:\windows\system32\nvoglnt.dll
2009-06-10 11:03 . 2008-12-25 16:08   815104   ----a-w-   c:\windows\system32\nvapi.dll
2009-06-10 11:03 . 2008-12-25 16:08   1720320   ----a-w-   c:\windows\system32\nvcuda.dll
2009-06-10 11:03 . 2008-12-25 16:08   151552   ----a-w-   c:\windows\system32\nvcodins.dll
2009-06-10 11:03 . 2008-12-25 16:08   151552   ----a-w-   c:\windows\system32\nvcod.dll
2009-06-10 11:03 . 2008-04-02 19:45   457248   ----a-w-   c:\windows\system32\nvudisp.exe
2009-06-10 11:03 . 2007-12-07 05:51   8087712   ----a-w-   c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 11:03 . 2007-12-07 05:51   5908608   ----a-w-   c:\windows\system32\nv4_disp.dll
2009-06-10 06:14 . 2007-04-24 19:05   132096   ----a-w-   c:\windows\system32\wkssvc.dll
2009-06-05 16:42 . 2009-03-14 19:00   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
2009-06-05 16:42 . 2008-10-25 19:48   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2004-08-12 06:00 . 2008-07-18 07:52   73728   --sha-w-   c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

------- Sigcheck -------

[7] 2004-08-12 06:00   502272   01C3346C241652F43AED8E2149881BFE   c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12   507904   ED0EF0A136DEC83DF69F04118870003E   c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-18 00:50   507904   3969440BA384D35317DBBDEEAAE641CE   c:\windows\system32\winlogon.exe

[-] 2007-04-24 19:05   295424   C29A5286E64D97385178452D5F307B98   c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12   295424   FF3477C03BE7201C294C35F684B3479F   c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-18 00:50   295424   63999D0ABD8DABFD76A9C07F6E104868   c:\windows\system32\termsrv.dll


c:\windows\system32\drivers\beep.sys ... is missing !!
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2009-04-28 298000]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike\\hl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Documents and Settings\\Customer\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/2/2009 6:16 PM 108289]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [7/30/2009 1:19 AM 11136]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [4/3/2008 5:39 PM 45440]
S0 tnpfb81;tnpfb81;\SystemRoot\\SystemRoot\System32\drivers\tnpfb81.sys --> \SystemRoot\\SystemRoot\System32\drivers\tnpfb81.sys [?]
S1 4180b6ce.sys;4180b6ce.sys;\??\c:\windows\System32\drivers\4180b6ce.sys --> c:\windows\System32\drivers\4180b6ce.sys [?]
S2 gupdate1c9aa6717e65336;Google Update Service (gupdate1c9aa6717e65336);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 3:53 PM 133104]
S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [12/4/2008 10:36 PM 12032]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [4/3/2008 5:33 PM 19020]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;

S3 vhack;vhack;\??\c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys --> c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RTCORE32
*Deregistered* - RTCore32

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 20:51]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
MSConfigStartUp-TrueImageMonitor - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.curse.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {7D4733C0-C43B-4A81-AF43-F9B20D1F8348} - hxxp://www.octoshape.com/files/octosetupGotFrag.cab
DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\lx4hbh99.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 21:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,77,61,19,2a,84,09,02,a9,ac,0b,91,31,61,c5,0a,60,69,6b,57,8a,
   4e,74,6a,08,10,98,6e,44,f3,19,27,49,2a,d6,87,55,12,92,35,8d,00,ed,63,fe,74,\
"rkeysecu"=hex:6f,c1,8d,4f,4c,7c,a4,72,e4,e6,0b,91,d2,83,44,ef

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
.
**************************************************************************
.
Completion time: 2009-09-03 21:35 - machine was rebooted
ComboFix-quarantined-files.txt  2009-09-03 02:35

Pre-Run: 127,226,544,128 bytes free
Post-Run: 127,111,868,416 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /PAE

353   --- E O F ---   2009-09-02 20:28




Sorry it took so long, i went as fast as i could.

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
tnpfb81
4180b6ce.sys

FCopy::
C:\WINDOWS\ServicePackFiles\i386\proquota.exe | c:\windows\system32\proquota.exe
C:\WINDOWS\ServicePackFiles\i386\beep.sys | c:\windows\system32\drivers\beep.sys


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[onion]

ComboFix 09-09-02.02 - Customer 09/02/2009 21:55.2.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2878 [GMT -5:00]
Running from: c:\documents and settings\Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Customer\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\proquota.exe --> c:\windows\system32\proquota.exe
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_4180b6ce.sys
-------\Service_tnpfb81


(((((((((((((((((((((((((   Files Created from 2009-08-03 to 2009-09-03  )))))))))))))))))))))))))))))))
.

2009-09-03 02:55 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\proquota.exe
2009-09-03 02:55 . 2008-04-14 00:12   50176   ----a-w-   c:\windows\system32\dllcache\proquota.exe
2009-09-03 01:50 . 2009-09-03 01:50   --------   d-----w-   C:\_OTL
2009-09-02 23:16 . 2009-07-28 21:33   55656   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2009-09-02 23:16 . 2009-03-30 15:33   96104   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2009-09-02 23:16 . 2009-02-13 17:29   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2009-09-02 23:16 . 2009-02-13 17:17   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2009-09-02 23:16 . 2009-09-02 23:16   --------   d-----w-   c:\program files\Avira
2009-09-02 23:16 . 2009-09-02 23:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Avira
2009-08-30 16:20 . 2009-08-30 16:20   --------   d-----w-   c:\documents and settings\Customer\Application Data\Software Defender
2009-08-30 16:08 . 2009-08-30 20:20   --------   d-----w-   C:\GameCommanderPro
2009-08-30 16:08 . 2009-08-30 16:08   --------   d-----w-   c:\program files\GameCommanderPro
2009-08-30 06:07 . 2009-08-30 06:07   272   ----a-w-   c:\windows\system32\drivers\sfi.dat
2009-08-30 06:04 . 2009-08-30 06:38   --------   d-----w-   c:\program files\COMODO
2009-08-29 02:46 . 2009-08-29 02:46   --------   d-----w-   c:\program files\ERUNT
2009-08-28 22:21 . 2009-08-28 22:21   120   ----a-w-   c:\documents and settings\Guest\Local Settings\Application Data\Qyinag.dat
2009-08-28 22:15 . 2009-08-28 22:15   --------   d-----w-   c:\documents and settings\Guest\Local Settings\Application Data\{24CA42D1-2CBF-4A3B-BDC8-8C983CEBC299}
2009-08-28 20:57 . 2009-08-29 02:07   120   ----a-w-   c:\windows\Qyinag.dat
2009-08-26 22:29 . 2009-08-26 22:29   --------   d-----w-   c:\program files\Electronic Arts
2009-08-26 21:16 . 2009-08-30 06:05   --------   d-----w-   c:\program files\Lavasoft
2009-08-26 21:16 . 2009-08-26 21:29   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-20 01:57 . 2009-08-20 01:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-18 22:15 . 2009-08-18 22:21   --------   d-----w-   c:\program files\IDoser v4
2009-08-15 07:12 . 2009-08-15 07:12   --------   d-----w-   c:\program files\JAP
2009-08-14 01:04 . 2009-08-15 05:37   45344   ----a-w-   c:\windows\system32\drivers\tnpfb81.sys
2009-08-14 01:04 . 2009-08-14 01:04   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 10:49 . 2009-06-12 12:31   80896   ------w-   c:\windows\system32\dllcache\tlntsess.exe
2009-08-12 10:49 . 2009-06-12 12:31   76288   ------w-   c:\windows\system32\dllcache\telnet.exe
2009-08-12 10:49 . 2009-06-10 06:14   132096   ------w-   c:\windows\system32\dllcache\wkssvc.dll
2009-08-12 10:48 . 2009-06-10 14:13   84992   ------w-   c:\windows\system32\dllcache\avifil32.dll
2009-08-12 10:48 . 2009-07-17 19:01   58880   ------w-   c:\windows\system32\dllcache\atl.dll
2009-08-12 10:48 . 2009-08-05 09:01   204800   ------w-   c:\windows\system32\dllcache\mswebdvd.dll
2009-08-12 10:38 . 2009-07-10 13:27   1315328   ------w-   c:\windows\system32\dllcache\msoe.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 20:28 . 2009-03-21 20:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\Google Updater
2009-09-01 02:03 . 2008-11-21 22:54   --------   d-----w-   c:\documents and settings\Customer\Application Data\LimeWire
2009-08-31 20:35 . 2008-05-03 00:28   --------   d-----w-   c:\documents and settings\Customer\Application Data\uTorrent
2009-08-31 20:35 . 2009-04-29 01:03   --------   d-----w-   c:\program files\World of Warcraft
2009-08-31 04:20 . 2008-11-20 05:05   --------   d-----w-   c:\program files\Defraggler
2009-08-29 02:33 . 2009-05-15 18:52   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-08-18 22:33 . 2008-04-04 04:22   --------   d-----w-   c:\program files\LimeWire
2009-08-15 07:09 . 2009-06-09 22:13   --------   d-----w-   c:\documents and settings\Customer\Application Data\Mumble
2009-08-14 01:07 . 2008-11-20 04:15   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-08-05 09:01 . 2004-08-12 06:00   204800   ----a-w-   c:\windows\system32\mswebdvd.dll
2009-08-03 23:41 . 2009-08-03 05:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2009-08-03 18:36 . 2008-11-20 04:15   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2008-11-20 04:15   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-08-03 06:57 . 2009-08-03 05:53   --------   d-----w-   c:\documents and settings\Customer\Application Data\Music Editor Free
2009-08-03 06:39 . 2009-08-03 05:47   --------   d-----w-   c:\program files\NOS
2009-08-03 05:53 . 2009-08-03 05:53   --------   d-----w-   c:\program files\Music Editor Free
2009-08-03 01:22 . 2009-08-03 01:22   --------   d-----w-   c:\documents and settings\Customer\Application Data\Nero
2009-08-03 01:21 . 2009-08-03 01:21   --------   d-----w-   c:\program files\Common Files\Nero
2009-08-03 01:21 . 2009-03-06 23:21   --------   d-----w-   c:\program files\Nero
2009-08-03 01:21 . 2009-08-03 01:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Nero
2009-07-31 08:46 . 2009-07-31 08:46   --------   d-----w-   c:\documents and settings\Guest\Application Data\SteelSeries
2009-07-31 02:04 . 2009-07-30 22:13   25   ----a-w-   c:\windows\popcinfot.dat
2009-07-30 22:12 . 2009-07-30 22:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\PopCap Games
2009-07-30 22:12 . 2009-07-30 08:04   --------   d-----w-   c:\program files\PopCap Games
2009-07-30 06:54 . 2009-07-30 06:54   --------   d-----w-   c:\program files\iTunes
2009-07-30 06:54 . 2009-07-30 06:54   --------   d-----w-   c:\program files\iPod
2009-07-30 06:54 . 2008-04-03 23:32   --------   d-----w-   c:\program files\Common Files\Apple
2009-07-30 06:19 . 2009-07-30 06:19   --------   d-----w-   c:\documents and settings\Customer\Application Data\SteelSeries
2009-07-30 06:19 . 2009-07-30 06:19   --------   d-----w-   c:\program files\SteelSeries
2009-07-30 06:19 . 2008-04-02 19:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-07-19 20:03 . 2009-07-19 20:03   --------   d-----w-   c:\program files\EVGA Precision
2009-07-19 10:20 . 2009-07-19 10:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\PassMark
2009-07-19 09:44 . 2008-04-04 06:42   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-07-19 09:08 . 2009-05-01 22:52   --------   d-----w-   c:\program files\Pando Networks
2009-07-19 02:32 . 2009-07-19 02:32   --------   d-----w-   c:\program files\Alex Feinman
2009-07-17 19:01 . 2004-08-12 06:00   58880   ----a-w-   c:\windows\system32\atl.dll
2009-07-16 09:32 . 2009-05-21 06:07   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2009-07-13 15:08 . 2004-08-12 06:00   286720   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-07-12 20:59 . 2009-06-17 20:23   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2009-07-10 21:21 . 2009-07-09 19:20   --------   d-----w-   c:\program files\World of Warcraft Public Test
2009-07-09 19:40 . 2009-05-01 22:54   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2009-07-03 17:09 . 2007-04-24 19:05   915456   ------w-   c:\windows\system32\wininet.dll
2009-06-21 13:46 . 2008-04-02 19:11   485920   ----a-w-   c:\windows\system32\NVUNINST.EXE
2009-06-16 14:36 . 2007-04-24 19:05   119808   ----a-w-   c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2007-04-24 19:03   81920   ----a-w-   c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-12 06:00   80896   ----a-w-   c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-05-10 17:51   76288   ----a-w-   c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2008-04-03 08:56   2066432   ----a-w-   c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-12 06:00   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-06-10 13:28 . 2009-06-10 13:28   3510272   ----a-w-   c:\windows\system32\nvgames.dll
2009-06-10 13:28 . 2009-06-10 13:28   4022272   ----a-w-   c:\windows\system32\nvdisps.dll
2009-06-10 13:28 . 2009-06-10 13:28   86016   ----a-w-   c:\windows\system32\nvmctray.dll
2009-06-10 13:28 . 2009-06-10 13:28   168004   ----a-w-   c:\windows\system32\nvsvc32.exe
2009-06-10 13:28 . 2009-06-10 13:28   143360   ----a-w-   c:\windows\system32\nvcolor.exe
2009-06-10 13:28 . 2009-06-10 13:28   13758464   ----a-w-   c:\windows\system32\nvcpl.dll
2009-06-10 13:28 . 2009-06-10 13:28   229376   ----a-w-   c:\windows\system32\nvmccs.dll
2009-06-10 11:03 . 2009-06-10 11:03   1580550   ----a-w-   c:\windows\system32\nvdata.bin
2009-06-10 11:03 . 2009-06-10 11:03   1310720   ----a-w-   c:\windows\system32\nvcuvenc.dll
2009-06-10 11:03 . 2009-03-27 15:03   671744   ----a-w-   c:\windows\system32\nvcuvid.dll
2009-06-10 11:03 . 2008-12-25 16:08   9998336   ----a-w-   c:\windows\system32\nvoglnt.dll
2009-06-10 11:03 . 2008-12-25 16:08   815104   ----a-w-   c:\windows\system32\nvapi.dll
2009-06-10 11:03 . 2008-12-25 16:08   1720320   ----a-w-   c:\windows\system32\nvcuda.dll
2009-06-10 11:03 . 2008-12-25 16:08   151552   ----a-w-   c:\windows\system32\nvcodins.dll
2009-06-10 11:03 . 2008-12-25 16:08   151552   ----a-w-   c:\windows\system32\nvcod.dll
2009-06-10 11:03 . 2008-04-02 19:45   457248   ----a-w-   c:\windows\system32\nvudisp.exe
2009-06-10 11:03 . 2007-12-07 05:51   8087712   ----a-w-   c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 11:03 . 2007-12-07 05:51   5908608   ----a-w-   c:\windows\system32\nv4_disp.dll
2009-06-10 06:14 . 2007-04-24 19:05   132096   ----a-w-   c:\windows\system32\wkssvc.dll
2009-06-05 16:42 . 2009-03-14 19:00   2060288   ----a-w-   c:\windows\system32\usbaaplrc.dll
2009-06-05 16:42 . 2008-10-25 19:48   39424   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2004-08-12 06:00 . 2008-07-18 07:52   73728   --sha-w-   c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
.

------- Sigcheck -------

[7] 2004-08-12 06:00   502272   01C3346C241652F43AED8E2149881BFE   c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12   507904   ED0EF0A136DEC83DF69F04118870003E   c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-11-18 00:50   507904   3969440BA384D35317DBBDEEAAE641CE   c:\windows\system32\winlogon.exe

[-] 2007-04-24 19:05   295424   C29A5286E64D97385178452D5F307B98   c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12   295424   FF3477C03BE7201C294C35F684B3479F   c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-11-18 00:50   295424   63999D0ABD8DABFD76A9C07F6E104868   c:\windows\system32\termsrv.dll


c:\windows\system32\drivers\beep.sys ... is missing !!
.
(((((((((((((((((((((((((((((   SnapShot@2009-09-03_02.33.12   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 03:01 . 2009-09-03 03:01   16384              c:\windows\temp\Perflib_Perfdata_750.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-30 1935360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecision.exe" [2009-04-28 298000]
"SteelSeries World of Warcraft MMO Gaming Mouse"="c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe" [2009-05-13 414720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike\\hl.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\joelonion\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.3.9183-to-3.0.8.9464-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\Documents and Settings\\Customer\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10048-to-0.2.0.10072-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft Public Test\\WoW-0.2.0.10072-to-0.2.0.10083-enUS-downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/2/2009 6:16 PM 108289]
R3 Mo3Fltr;MMO Mouse;c:\windows\system32\drivers\Mo3Fltr.sys [7/30/2009 1:19 AM 11136]
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [4/3/2008 5:39 PM 45440]
S2 gupdate1c9aa6717e65336;Google Update Service (gupdate1c9aa6717e65336);c:\program files\Google\Update\GoogleUpdate.exe [3/21/2009 3:53 PM 133104]
S3 JmtFltr;n52te;c:\windows\system32\Drivers\JmtFltr.sys --> c:\windows\system32\Drivers\JmtFltr.sys [?]
S3 LachesisFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [12/4/2008 10:36 PM 12032]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [4/3/2008 5:33 PM 19020]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;

S3 vhack;vhack;\??\c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys --> c:\docume~1\Customer\LOCALS~1\Temp\Rar$EX25.2579\vhack.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - RTCORE32
*Deregistered* - RTCore32

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-09-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-21 20:51]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-21 20:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.curse.com/
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {7D4733C0-C43B-4A81-AF43-F9B20D1F8348} - hxxp://www.octoshape.com/files/octosetupGotFrag.cab
DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.srtest.com/srl_bin/sysreqlab_test.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Customer\Application Data\Mozilla\Firefox\Profiles\lx4hbh99.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_USERS\S-1-5-21-484763869-1202660629-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:4c,77,61,19,2a,84,09,02,a9,ac,0b,91,31,61,c5,0a,60,69,6b,57,8a,
   4e,74,6a,08,10,98,6e,44,f3,19,27,49,2a,d6,87,55,12,92,35,8d,00,ed,63,fe,74,\
"rkeysecu"=hex:6f,c1,8d,4f,4c,7c,a4,72,e4,e6,0b,91,d2,83,44,ef

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMTray.exe
.
**************************************************************************
.
Completion time: 2009-09-03 22:03 - machine was rebooted
ComboFix-quarantined-files.txt  2009-09-03 03:03
ComboFix2.txt  2009-09-03 02:35

Pre-Run: 127,085,703,168 bytes free
Post-Run: 127,048,708,096 bytes free

312   --- E O F ---   2009-09-02 20:28


There ya go.

[evilfantasy]

Save the attached file to your desktop. Unzip it and place the beep.sys file in you Drivers folder.

C:\WINDOWS\system32\drivers <- Place it in this folder.

Let me know how the computer is running now.



[attachment deleted by admin]

[onion]

no more redirects, gonna check safe mode.

[onion]

Safe mode is working, but it's still asking me if i want to load, or press cancel to stop loading SPTD.sys... not sure what that is.
Wep pages are pulling up significantly faster..

Any advice for keeping protected against that stuff in the future?

P.S. i live in oklahoma too, in Shattuck, northwest panhandle

[evilfantasy]

Safe mode is working, but it's still asking me if i want to load, or press cancel to stop loading SPTD.sys... not sure what that is.

See here: http://www.bleepingcomputer.com/startups/sptd.sys-13477.html

Any advice for keeping protected against that stuff in the future?

We'll get to that at the end.

P.S. i live in oklahoma too, in Shattuck, northwest panhandle

Other side of the state...

Let's clean up a little and then check to see if we missed anything.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Double click OTL

* Click the CleanUp! button.
* Select Yes when the "Begin cleanup Process?" prompt appears.
* If you are prompted to Reboot during the cleanup, select Yes
* The tool will delete itself once it finishes.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.

[onion]

updating the kaspersky online thing right now, but i got college in the morning at 8:00 so i gotta hit the sack, thanks man. Ill post the scan log tomorrow around 4pm.
again, THANK YOU.

[evilfantasy]

No problem. I'll be signing off soon also.

[onion]

Kaspersky didn't find a single thing.

[evilfantasy]

Sounds like we nailed it then. Good job!

Time to finish up.

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[ThomasTheXPUser]

Please don't ask for malicious links to be posted.

@ onion - Give me a few minutes to look at your logs and I will reply.

im sorry, i just wanted to know what the redirects said. your doin a good job, evil

[evilfantasy]

Too many people click first and think second so it's risky. If they are needed to be posted then have them disable the links by adding xx into the http. > hxxp