Browser hijack - Safer-Networking Forums

Shekkie · 2009-11-26, 16:24

Hello, I have a problem with Firefox. Whenever I connect to the internet and start the browser(it seems to happen only on the first browser launch after connecting) and subsequently at random intervals(short of the above mentioned first-launch, I didn't manage to replicate it at will) Firefox will open a random page on bizrumour.com.

I've repeatedly scanned with Avast Home, Spybot S&D and ZoneAlarm Extreme Security(trial version), found and cleaned one instance of Trojan.Buzus, but the browser hijacking still occurs(it seems having ZoneAlarm on prevents it from happening but that's not a valid solution for me as it's only the trial version)

Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:05 PM, on 11/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\fsc\Desktop\HTscan.exe
C:\Program Files\Notepad++\notepad++.exe

O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C1A7FD-EA04-4DCB-9007-B838008805C6}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4706 bytes

**Blade81** · 2009-11-30, 07:54

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it & fresh hjt log on your next reply.

Shekkie · 2009-11-30, 12:10

Hi Blade81, thanks for taking the time to help me.

Just wanted to add in case it might be needed that I was getting hijacked to cultarts.com mainstories.com dont-tell-me.info ffyourview.com as well aside from bizrumour.com.

ComboFix 09-11-29.03 - fsc 11/30/2009 11:28.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.808 [GMT 2:00]
Running from: c:\documents and settings\fsc\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091129-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\fsc\Application Data\.#
c:\documents and settings\fsc\Application Data\inst.exe
C:\install.exe
c:\recycler\S-1-5-21-0555072636-6997636867-584673222-3488
c:\recycler\S-1-5-21-3696751053-3612037300-841287563-4919
c:\recycler\S-1-5-21-7347110339-6546103056-426463047-3218
c:\recycler\S-1-5-21-7382475547-9006674404-400766208-8364
c:\recycler\S-1-5-21-7810686304-1485327679-953155845-5677
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\winhelp.ini

c:\windows\System32\Drivers\d347prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-29 18:35 . 2009-11-29 18:35 -------- d-----w- c:\documents and settings\fsc\Application Data\icefinch.net
2009-11-29 18:32 . 2009-11-29 18:32 -------- d-----w- c:\documents and settings\fsc\Local Settings\Application Data\icefinch.net
2009-11-29 06:48 . 2009-11-29 06:48 -------- d-----w- c:\documents and settings\fsc\Application Data\MailFrontier
2009-11-28 19:34 . 2009-11-28 19:34 -------- d-----w- C:\config
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\scripting
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\l2schemas
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\en
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\bits
2009-11-26 20:13 . 2009-11-26 20:13 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-26 20:13 . 2009-11-26 20:13 -------- d-----w- c:\program files\MSBuild
2009-11-26 20:12 . 2009-11-26 20:12 -------- d-----w- c:\program files\Reference Assemblies
2009-11-26 20:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-26 20:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-26 20:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-26 20:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-26 20:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-26 20:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-26 20:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-26 20:11 . 2009-11-26 20:12 -------- d-----w- C:\cd91fa2de212cb276b9de535c5cf
2009-11-26 19:51 . 2009-11-26 19:51 -------- d-sh--w- c:\documents and settings\fsc\IETldCache
2009-11-26 19:13 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-26 19:07 . 2009-11-27 13:38 -------- d-----w- c:\windows\ie8updates
2009-11-26 19:04 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-26 19:04 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-26 19:04 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-26 19:04 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-26 19:04 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-26 19:04 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-26 18:58 . 2009-11-26 19:02 -------- dc-h--w- c:\windows\ie8
2009-11-26 18:20 . 2004-08-03 20:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2009-11-26 18:20 . 2004-08-03 20:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2009-11-26 18:20 . 2004-08-03 20:41 13240 ------w- c:\windows\system32\drivers\slwdmsup.sys
2009-11-26 18:20 . 2004-08-03 20:41 404990 ------w- c:\windows\system32\drivers\slntamr.sys
2009-11-26 18:20 . 2004-08-03 20:41 129535 ------w- c:\windows\system32\drivers\slnt7554.sys
2009-11-26 18:20 . 2004-08-03 20:29 166912 ------w- c:\windows\system32\drivers\s3gnbm.sys
2009-11-26 18:20 . 2004-08-03 20:41 13776 ------w- c:\windows\system32\drivers\recagent.sys
2009-11-26 18:19 . 2004-08-03 20:29 1897408 ------w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-26 18:19 . 2004-08-03 20:41 180360 ------w- c:\windows\system32\drivers\ntmtlfax.sys
2009-11-26 18:19 . 2004-08-07 00:17 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-11-26 18:19 . 2004-08-07 00:17 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-11-26 18:19 . 2004-08-03 20:41 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2009-11-26 18:19 . 2004-08-03 20:29 452736 ------w- c:\windows\system32\drivers\mtxparhm.sys
2009-11-26 18:19 . 2004-08-03 20:41 126686 ------w- c:\windows\system32\drivers\mtlmnt5.sys
2009-11-26 18:19 . 2004-08-03 20:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2009-11-26 18:18 . 2004-08-03 20:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2009-11-26 18:18 . 2004-08-03 20:41 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2009-11-26 18:18 . 2004-08-03 20:41 220032 ------w- c:\windows\system32\drivers\hsfbs2s2.sys
2009-11-26 06:13 . 2009-11-26 06:13 -------- d-----w- c:\program files\MSXML 6.0
2009-11-26 06:07 . 2009-11-26 21:40 -------- d-----w- c:\windows\ServicePackFiles
2009-11-25 19:38 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-25 19:38 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-25 19:38 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-11-25 19:37 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-25 19:37 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-11-25 19:33 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-25 19:29 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-11-25 19:28 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-25 19:28 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-11-24 18:14 . 2009-11-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2009-11-24 18:09 . 2009-11-24 18:09 -------- d-----w- c:\documents and settings\fsc\Application Data\CheckPoint
2009-11-24 18:08 . 2009-11-24 18:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-24 18:00 . 2009-11-30 09:02 144 ----a-w- c:\windows\system32\pdfl.dat
2009-11-24 18:00 . 2009-11-24 18:00 80 ----a-w- c:\windows\system32\ibfl.dat
2009-11-24 18:00 . 2009-11-24 18:00 144 ----a-w- c:\windows\system32\lkfl.dat
2009-11-24 17:59 . 2009-11-24 17:59 -------- d-----w- c:\program files\CheckPoint
2009-11-24 17:59 . 2009-11-30 09:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-24 17:59 . 2009-10-16 22:39 72584 ----a-w- c:\windows\zllsputility.exe
2009-11-24 17:59 . 2009-10-12 16:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-24 17:58 . 2009-10-16 22:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-24 17:58 . 2009-10-16 22:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-24 17:58 . 2009-10-16 22:39 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-24 17:58 . 2009-11-24 18:14 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-24 17:48 . 2009-11-24 17:48 -------- d-----w- c:\program files\Zone Labs
2009-11-24 17:47 . 2009-11-30 09:46 -------- d-----w- c:\windows\Internet Logs
2009-11-24 15:54 . 2009-11-24 17:47 -------- d-----w- C:\backups
2009-11-24 04:30 . 2009-11-24 04:30 152576 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 04:30 . 2009-11-24 04:30 79488 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 19:52 . 2009-11-23 19:53 -------- d-----w- C:\HijackThis
2009-11-23 18:41 . 2009-05-26 17:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-23 15:03 . 2009-11-25 03:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 15:03 . 2009-11-24 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-23 14:50 . 2009-11-23 14:50 -------- d-----w- c:\documents and settings\fsc\Local Settings\Application Data\Threat Expert
2009-11-23 07:35 . 2009-11-23 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-20 06:58 . 2009-11-20 06:58 -------- d-----w- c:\documents and settings\Mamik\Application Data\Yahoo!
2009-11-02 22:57 . 2009-11-02 22:57 -------- d-----w- c:\documents and settings\Mamik\Application Data\PC Suite
2009-11-02 18:53 . 2007-02-16 05:10 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-11-02 18:53 . 2006-10-17 20:29 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2009-11-02 18:53 . 2009-11-07 06:53 -------- d-----w- c:\program files\Free AVI to 3GP Converter
2009-11-02 18:53 . 2007-04-19 13:15 7277568 ----a-w- c:\windows\system32\3gp.dll
2009-11-02 18:51 . 2009-11-02 18:51 -------- d-----w- c:\documents and settings\fsc\Application Data\Media Player Classic
2009-11-02 18:49 . 2009-11-02 18:49 34 ---ha-w- c:\windows\system32\VideoConverter_sysquict.dat
2009-11-02 18:49 . 2009-11-02 18:51 -------- d-----w- c:\program files\Aglare iPhone to AVI MP4 WMV MPEG 3GP Converter
2009-11-02 18:33 . 2009-11-02 18:33 -------- d-----w- c:\documents and settings\fsc\Application Data\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 18:32 . 2007-12-20 04:31 115720 ----a-w- c:\documents and settings\fsc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-29 18:25 . 2007-12-20 19:03 -------- d-----w- c:\documents and settings\fsc\Application Data\uTorrent
2009-11-27 15:26 . 2009-11-27 15:26 184033 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_11_27_17_20_17_small.dmp.zip
2009-11-27 13:07 . 2009-11-26 21:51 2508090 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-27 12:23 . 2007-12-20 12:43 -------- d-----w- c:\program files\The KMPlayer
2009-11-27 07:56 . 2009-11-27 07:56 94981 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_11_27_05_54_29_small.dmp.zip
2009-11-26 21:56 . 2007-12-19 19:41 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-26 19:49 . 2009-11-26 19:50 142848 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-26 14:58 . 2009-01-27 14:07 1 ----a-w- c:\documents and settings\fsc\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-26 06:20 . 2009-11-26 13:56 1829376 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-26 06:20 . 2009-11-26 13:56 2058240 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-24 23:54 . 2007-12-20 12:24 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-12-20 12:24 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-12-20 12:24 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-02 01:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-02 01:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-12-20 12:24 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-12-20 12:24 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-12-20 12:24 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-12-20 12:24 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 04:31 . 2007-12-20 14:40 -------- d-----w- c:\program files\Java
2009-11-23 18:41 . 2007-12-20 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-23 15:16 . 2008-06-02 13:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 13:44 . 2007-12-20 15:00 -------- d-----w- c:\documents and settings\fsc\Application Data\Yahoo!
2009-11-11 21:26 . 2008-12-21 15:06 -------- d-----w- c:\documents and settings\fsc\Application Data\Skype
2009-11-11 19:29 . 2008-12-21 15:08 -------- d-----w- c:\documents and settings\fsc\Application Data\skypePM
2009-11-10 03:35 . 2007-12-27 14:15 -------- d-----w- c:\program files\Unlocker
2009-11-08 10:04 . 2007-12-20 12:33 -------- d-----w- c:\program files\ApexDC++
2009-10-29 14:44 . 2008-01-28 16:39 -------- d-----w- c:\documents and settings\fsc\Application Data\Audacity
2009-10-23 13:05 . 2007-12-29 14:30 -------- d-----w- c:\program files\HUAWEI PC Assistant
2009-10-21 03:11 . 2009-10-06 17:21 16 ----a-w- c:\windows\popcinfot.dat
2009-10-17 04:07 . 2009-10-17 04:07 152576 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-11 02:17 . 2008-12-10 11:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 17:21 . 2009-10-06 17:21 0 ----a-w- c:\windows\popcreg.dat
2009-10-04 06:21 . 2009-03-31 11:28 -------- d-----w- c:\program files\QuickTime
2009-10-04 06:21 . 2009-03-31 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 06:18 . 2008-01-08 13:03 -------- d-----w- c:\program files\Macromedia
2009-10-04 05:45 . 2009-06-12 11:39 -------- d-----w- c:\program files\DOSBox-0.73
2009-09-19 15:13 . 2009-09-19 15:13 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2009-09-19 15:13 . 2009-09-19 15:13 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-09-19 15:13 . 2009-09-19 15:13 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 16:46 . 2009-08-29 09:29 355392 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-09-09 16:46 . 2009-08-29 09:29 179264 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-09-09 15:49 . 2009-08-29 17:12 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-09 15:49 . 2009-08-29 09:14 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-09 15:48 . 2009-08-29 09:29 874660 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-09-09 15:48 . 2009-08-29 09:29 57344 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-09-09 15:48 . 2009-08-29 09:29 2661440 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 14:44 . 2009-09-19 14:18 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 14:44 . 2009-09-19 14:18 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 14:44 . 2009-09-19 14:17 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 14:29 . 2009-09-19 14:17 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 14:29 . 2009-09-19 14:17 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 14:29 . 2009-09-19 14:18 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 14:29 . 2009-09-19 14:18 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 14:29 . 2009-09-19 14:17 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-02-03 07:32 . 2007-12-20 13:37 3550592 ----a-w- c:\program files\procexp.exe
2007-08-31 03:36 . 2009-06-22 19:50 72138 ----a-w- c:\program files\procexp.chm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-23 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 1037192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\fsc\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2008-5-17 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"aspnet_state"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Gamesz\\Soldat\\Soldat.exe"=
"c:\\Program Files\\DOSBox-0.70\\dosbox.exe"=
"c:\\Gamesz\\Netrek\\netrek.exe"=
"c:\\Gamesz\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Gamesz\\World of Warcraft\\Launcher.exe"=
"c:\\Gamesz\\World of Warcraft\\Wow.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Gamesz\\NetstormLaunch\\package\\Netstorm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"15779:TCP"= 15779:TCP:SRO
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [12/21/2007 12:04 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [12/21/2007 12:04 AM 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 3:07 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2008 3:07 AM 20560]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [3/8/2008 1:35 PM 8192]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 3:30 PM 25208]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 3:29 PM 35448]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [12/20/2007 3:58 PM 88960]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [12/31/2007 3:32 PM 30272]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\fsc\Application Data\Mozilla\Firefox\Profiles\vgurycmj.default\
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\hijackthis\HijackThis.exe
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A042660]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7569cb8
\Driver\atapi -> 0x8a042660
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
Completion time: 2009-11-30 11:58
ComboFix-quarantined-files.txt 2009-11-30 09:58

Pre-Run: 1,119,391,744 bytes free
Post-Run: 1,817,374,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BE2616D29EE87A0C0E9FB8FB32624675

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:33 PM, on 11/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\fsc\Desktop\HTscan.exe <- this is my renamed HijackThis
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Notepad++\notepad++.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C1A7FD-EA04-4DCB-9007-B838008805C6}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5259 bytes

Uninstall_list:

Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Shockwave Player
Adobe Stock Photos 1.0
ApexDC++ 1.1.0
Audacity 1.3.2 (Unicode)
AusLogics Disk Defrag
avast! Antivirus
Bookworm Adventures Deluxe 1.0
CamStudio
CDisplay 1.8
Command & Conquer Renegade
ConvertXtoDVD 3.5.3.139
Crayon Physics Deluxe - release 51
DAEMON Tools
FM Screen Capture Codec (Remove Only)
Foxit Reader
Free AVI to 3GP Converter 3.0
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HUAWEI PC Assistant V1.6.11
HWiNFO32 Version 1.78
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 17
Java(TM) 6 Update 3
Java(TM) 6 Update 7
KVIrc
MediaCoder 0.6.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft AppLocale
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Application Compatibility Database
MobTime Cell Phone Manager 2007 V6.2.1
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
Nero 6 Enterprise Edition
Netrek XP 2006 v1.3
Netstorm Launcher (Console)
No-IP.com DUC (remove only)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Notepad++
OCR Software by I.R.I.S 7.0
Oni
OpenOffice.org 3.0
OpenTTD 0.7.0
osu!
PC Connectivity Solution
Peggle (remove only)
Phun beta 3.12
Project64 1.6
PunkBuster Services
Quake Live Mozilla Plugin
RAD Video Tools
Ranch Rush
Real Alternative 1.7.5
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype™ 3.8
Soldat 1.5.0
SoundMAX
TeamSpeak 2 RC2
The KMPlayer (remove only)
Theme Hospital
Thrustmaster FFB Driver
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Uplink
Ventrilo Client
Ventrilo Server
VisiPics V1.30
Wik & The Fable of Souls
Winamp
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Imaging Component
Windows Media Format Runtime
Windows XP Service Pack 3
WinHTTrack Website Copier 3.42
WinRAR archiver
World of Warcraft
Yahoo! Internet Mail
Yahoo! Messenger
ZoneAlarm Extreme Security

Shekkie · 2009-11-30, 12:12

Forgot to ask, can I enable my antivirus protection now?

**Blade81** · 2009-11-30, 15:54

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
ApexDC++

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Uninstall Daemon Tools for now. You can reinstall it later if needed.

Please try this:

1. Go to the c:\windows\system32\drivers folder

2. Locate the file - atapi.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.

If 5a was carried out, run GMER and post back the report. Are browsers redirecting?

If 5b was carried out, let me know.

Shekkie · 2009-11-30, 18:44

Hello,

Uninstalled the programs, 5a occurs(atapi.sys regenerates even after reboot) however when I try to run GMER, it crashes some 5-10 seconds after I launch it(I tried with Avast/ZoneAlarm disabled but the same thing happens). My browser doesn't seem to redirect anymore though.

What to do next?

**Blade81** · 2009-11-30, 20:26

Hi,

Please run ComboFix again and post back its report.

Shekkie · 2009-11-30, 21:32

Hi,

ComboFix 09-11-29.03 - fsc 11/30/2009 20:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.787 [GMT 2:00]
Running from: c:\documents and settings\fsc\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091130-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\Drivers\d347prt.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-29 18:35 . 2009-11-29 18:35 -------- d-----w- c:\documents and settings\fsc\Application Data\icefinch.net
2009-11-29 18:32 . 2009-11-29 18:32 -------- d-----w- c:\documents and settings\fsc\Local Settings\Application Data\icefinch.net
2009-11-29 06:48 . 2009-11-29 06:48 -------- d-----w- c:\documents and settings\fsc\Application Data\MailFrontier
2009-11-28 19:34 . 2009-11-28 19:34 -------- d-----w- C:\config
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\scripting
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\l2schemas
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\en
2009-11-26 21:47 . 2009-11-26 21:47 -------- d-----w- c:\windows\system32\bits
2009-11-26 20:13 . 2009-11-26 20:13 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-26 20:13 . 2009-11-26 20:13 -------- d-----w- c:\program files\MSBuild
2009-11-26 20:12 . 2009-11-26 20:12 -------- d-----w- c:\program files\Reference Assemblies
2009-11-26 20:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-26 20:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-26 20:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-26 20:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-26 20:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-26 20:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-26 20:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-26 20:11 . 2009-11-26 20:12 -------- d-----w- C:\cd91fa2de212cb276b9de535c5cf
2009-11-26 19:51 . 2009-11-26 19:51 -------- d-sh--w- c:\documents and settings\fsc\IETldCache
2009-11-26 19:13 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-11-26 19:07 . 2009-11-27 13:38 -------- d-----w- c:\windows\ie8updates
2009-11-26 19:04 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-11-26 19:04 . 2009-08-29 08:08 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-26 19:04 . 2009-08-29 08:08 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-26 19:04 . 2009-08-29 08:08 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-11-26 19:04 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-11-26 19:04 . 2009-08-29 08:08 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-11-26 18:58 . 2009-11-26 19:02 -------- dc-h--w- c:\windows\ie8
2009-11-26 18:20 . 2004-08-03 20:29 25471 ------w- c:\windows\system32\drivers\watv10nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 22271 ------w- c:\windows\system32\drivers\watv06nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11935 ------w- c:\windows\system32\drivers\wadv11nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11871 ------w- c:\windows\system32\drivers\wadv09nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11807 ------w- c:\windows\system32\drivers\wadv07nt.sys
2009-11-26 18:20 . 2004-08-03 20:29 11295 ------w- c:\windows\system32\drivers\wadv08nt.sys
2009-11-26 18:20 . 2004-08-03 20:41 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2009-11-26 18:20 . 2004-08-03 20:41 13240 ------w- c:\windows\system32\drivers\slwdmsup.sys
2009-11-26 18:20 . 2004-08-03 20:41 404990 ------w- c:\windows\system32\drivers\slntamr.sys
2009-11-26 18:20 . 2004-08-03 20:41 129535 ------w- c:\windows\system32\drivers\slnt7554.sys
2009-11-26 18:20 . 2004-08-03 20:29 166912 ------w- c:\windows\system32\drivers\s3gnbm.sys
2009-11-26 18:20 . 2004-08-03 20:41 13776 ------w- c:\windows\system32\drivers\recagent.sys
2009-11-26 18:19 . 2004-08-03 20:29 1897408 ------w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-26 18:19 . 2004-08-03 20:41 180360 ------w- c:\windows\system32\drivers\ntmtlfax.sys
2009-11-26 18:19 . 2004-08-07 00:17 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-11-26 18:19 . 2004-08-07 00:17 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-11-26 18:19 . 2004-08-03 20:41 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2009-11-26 18:19 . 2004-08-03 20:29 452736 ------w- c:\windows\system32\drivers\mtxparhm.sys
2009-11-26 18:19 . 2004-08-03 20:41 126686 ------w- c:\windows\system32\drivers\mtlmnt5.sys
2009-11-26 18:19 . 2004-08-03 20:41 11868 ------w- c:\windows\system32\drivers\mdmxsdk.sys
2009-11-26 18:18 . 2004-08-03 20:41 1041536 ------w- c:\windows\system32\drivers\hsfdpsp2.sys
2009-11-26 18:18 . 2004-08-03 20:41 685056 ------w- c:\windows\system32\drivers\hsfcxts2.sys
2009-11-26 18:18 . 2004-08-03 20:41 220032 ------w- c:\windows\system32\drivers\hsfbs2s2.sys
2009-11-26 06:13 . 2009-11-26 06:13 -------- d-----w- c:\program files\MSXML 6.0
2009-11-26 06:07 . 2009-11-26 21:40 -------- d-----w- c:\windows\ServicePackFiles
2009-11-25 19:38 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-11-25 19:38 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-11-25 19:38 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-11-25 19:37 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-25 19:37 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-11-25 19:33 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-25 19:29 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-11-25 19:28 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-25 19:28 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-11-24 18:14 . 2009-11-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky SDK
2009-11-24 18:09 . 2009-11-24 18:09 -------- d-----w- c:\documents and settings\fsc\Application Data\CheckPoint
2009-11-24 18:08 . 2009-11-24 18:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-24 18:00 . 2009-11-30 16:34 144 ----a-w- c:\windows\system32\pdfl.dat
2009-11-24 18:00 . 2009-11-24 18:00 80 ----a-w- c:\windows\system32\ibfl.dat
2009-11-24 18:00 . 2009-11-24 18:00 144 ----a-w- c:\windows\system32\lkfl.dat
2009-11-24 17:59 . 2009-11-24 17:59 -------- d-----w- c:\program files\CheckPoint
2009-11-24 17:59 . 2009-11-30 09:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-24 17:59 . 2009-10-16 22:39 72584 ----a-w- c:\windows\zllsputility.exe
2009-11-24 17:59 . 2009-10-12 16:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-11-24 17:58 . 2009-10-16 22:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-11-24 17:58 . 2009-10-16 22:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-11-24 17:58 . 2009-10-16 22:39 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-24 17:58 . 2009-11-24 18:14 -------- d-----w- c:\windows\system32\ZoneLabs
2009-11-24 17:48 . 2009-11-24 17:48 -------- d-----w- c:\program files\Zone Labs
2009-11-24 17:47 . 2009-11-30 18:58 -------- d-----w- c:\windows\Internet Logs
2009-11-24 15:54 . 2009-11-24 17:47 -------- d-----w- C:\backups
2009-11-24 04:30 . 2009-11-24 04:30 152576 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 04:30 . 2009-11-24 04:30 79488 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-23 19:52 . 2009-11-23 19:53 -------- d-----w- C:\HijackThis
2009-11-23 18:41 . 2009-05-26 17:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-11-23 15:03 . 2009-11-25 03:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-23 15:03 . 2009-11-24 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-23 14:50 . 2009-11-23 14:50 -------- d-----w- c:\documents and settings\fsc\Local Settings\Application Data\Threat Expert
2009-11-23 07:35 . 2009-11-23 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-20 06:58 . 2009-11-20 06:58 -------- d-----w- c:\documents and settings\Mamik\Application Data\Yahoo!
2009-11-02 22:57 . 2009-11-02 22:57 -------- d-----w- c:\documents and settings\Mamik\Application Data\PC Suite
2009-11-02 18:53 . 2007-02-16 05:10 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-11-02 18:53 . 2006-10-17 20:29 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2009-11-02 18:53 . 2009-11-07 06:53 -------- d-----w- c:\program files\Free AVI to 3GP Converter
2009-11-02 18:53 . 2007-04-19 13:15 7277568 ----a-w- c:\windows\system32\3gp.dll
2009-11-02 18:51 . 2009-11-02 18:51 -------- d-----w- c:\documents and settings\fsc\Application Data\Media Player Classic
2009-11-02 18:49 . 2009-11-02 18:49 34 ---ha-w- c:\windows\system32\VideoConverter_sysquict.dat
2009-11-02 18:49 . 2009-11-02 18:51 -------- d-----w- c:\program files\Aglare iPhone to AVI MP4 WMV MPEG 3GP Converter
2009-11-02 18:33 . 2009-11-02 18:33 -------- d-----w- c:\documents and settings\fsc\Application Data\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 16:26 . 2007-12-20 19:03 -------- d-----w- c:\program files\uTorrent
2009-11-30 16:26 . 2007-12-20 19:03 -------- d-----w- c:\documents and settings\fsc\Application Data\uTorrent
2009-11-30 16:24 . 2007-12-20 12:33 -------- d-----w- c:\program files\ApexDC++
2009-11-30 10:27 . 2009-11-26 21:51 4078423 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-29 18:32 . 2007-12-20 04:31 115720 ----a-w- c:\documents and settings\fsc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-27 15:26 . 2009-11-27 15:26 184033 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_11_27_17_20_17_small.dmp.zip
2009-11-27 12:23 . 2007-12-20 12:43 -------- d-----w- c:\program files\The KMPlayer
2009-11-27 07:56 . 2009-11-27 07:56 94981 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_11_27_05_54_29_small.dmp.zip
2009-11-26 21:56 . 2007-12-19 19:41 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-26 19:49 . 2009-11-26 19:50 142848 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-26 14:58 . 2009-01-27 14:07 1 ----a-w- c:\documents and settings\fsc\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-26 06:20 . 2009-11-26 13:56 1829376 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-26 06:20 . 2009-11-26 13:56 2058240 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-24 23:54 . 2007-12-20 12:24 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2007-12-20 12:24 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2007-12-20 12:24 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2008-04-02 01:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-04-02 01:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2007-12-20 12:24 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2007-12-20 12:24 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2007-12-20 12:24 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2007-12-20 12:24 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-24 04:31 . 2007-12-20 14:40 -------- d-----w- c:\program files\Java
2009-11-23 18:41 . 2007-12-20 13:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-23 15:16 . 2008-06-02 13:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-14 13:44 . 2007-12-20 15:00 -------- d-----w- c:\documents and settings\fsc\Application Data\Yahoo!
2009-11-11 21:26 . 2008-12-21 15:06 -------- d-----w- c:\documents and settings\fsc\Application Data\Skype
2009-11-11 19:29 . 2008-12-21 15:08 -------- d-----w- c:\documents and settings\fsc\Application Data\skypePM
2009-11-10 03:35 . 2007-12-27 14:15 -------- d-----w- c:\program files\Unlocker
2009-10-29 14:44 . 2008-01-28 16:39 -------- d-----w- c:\documents and settings\fsc\Application Data\Audacity
2009-10-23 13:05 . 2007-12-29 14:30 -------- d-----w- c:\program files\HUAWEI PC Assistant
2009-10-21 03:11 . 2009-10-06 17:21 16 ----a-w- c:\windows\popcinfot.dat
2009-10-17 04:07 . 2009-10-17 04:07 152576 ----a-w- c:\documents and settings\fsc\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-10-11 02:17 . 2008-12-10 11:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 17:21 . 2009-10-06 17:21 0 ----a-w- c:\windows\popcreg.dat
2009-10-04 06:21 . 2009-03-31 11:28 -------- d-----w- c:\program files\QuickTime
2009-10-04 06:21 . 2009-03-31 11:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-04 06:18 . 2008-01-08 13:03 -------- d-----w- c:\program files\Macromedia
2009-10-04 05:45 . 2009-06-12 11:39 -------- d-----w- c:\program files\DOSBox-0.73
2009-09-19 15:13 . 2009-09-19 15:13 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstCCD.exe
2009-09-19 15:13 . 2009-09-19 15:13 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-09-19 15:13 . 2009-09-19 15:13 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Installations\CommonCustomActions\UninstPCS.exe
2009-09-11 14:18 . 2004-08-04 04:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 16:46 . 2009-08-29 09:29 355392 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-09-09 16:46 . 2009-08-29 09:29 179264 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-09-09 15:49 . 2009-08-29 17:12 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-09 15:49 . 2009-08-29 09:14 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-09 15:48 . 2009-08-29 09:29 874660 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-09-09 15:48 . 2009-08-29 09:29 57344 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-09-09 15:48 . 2009-08-29 09:29 2661440 ----a-w- c:\documents and settings\fsc\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-09-04 21:03 . 2004-08-04 04:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 14:44 . 2009-09-19 14:18 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 14:44 . 2009-09-19 14:18 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 14:44 . 2009-09-19 14:17 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 14:29 . 2009-09-19 14:17 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 14:29 . 2009-09-19 14:17 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 14:29 . 2009-09-19 14:18 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 14:29 . 2009-09-19 14:18 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 14:29 . 2009-09-19 14:17 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-02-03 07:32 . 2007-12-20 13:37 3550592 ----a-w- c:\program files\procexp.exe
2007-08-31 03:36 . 2009-06-22 19:50 72138 ----a-w- c:\program files\procexp.chm
.

((((((((((((((((((((((((((((( SnapShot@2009-11-30_09.52.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 18:55 . 2009-11-30 18:55 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2009-11-30 18:54 . 2009-11-30 18:54 16384 c:\windows\Temp\Perflib_Perfdata_748.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 1037192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\fsc\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2008-5-17 1172992]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=2 (0x2)
"aspnet_state"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\KVIrc\\kvirc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Gamesz\\Soldat\\Soldat.exe"=
"c:\\Program Files\\DOSBox-0.70\\dosbox.exe"=
"c:\\Gamesz\\Netrek\\netrek.exe"=
"c:\\Gamesz\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WinHTTrack\\WinHTTrack.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Gamesz\\World of Warcraft\\Launcher.exe"=
"c:\\Gamesz\\World of Warcraft\\Wow.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Gamesz\\NetstormLaunch\\package\\Netstorm.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881
"15779:TCP"= 15779:TCP:SRO
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [12/21/2007 12:04 AM 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [12/21/2007 12:04 AM 5248]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/2/2008 3:07 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/2/2008 3:07 AM 20560]
R2 HWiNFO32;HWiNFO32 Kernel Driver;c:\program files\HWiNFO32\HWiNFO32.SYS [3/8/2008 1:35 PM 8192]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [10/14/2009 3:30 PM 25208]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 icsak;icsak;c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [10/14/2009 3:29 PM 35448]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmumdm.sys [12/20/2007 3:58 PM 88960]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 usb2vcom;Nokia CA-42 USB;c:\windows\system32\drivers\usb2vcom.sys [12/31/2007 3:32 PM 30272]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\fsc\Application Data\Mozilla\Firefox\Profiles\vgurycmj.default\
FF - prefs.js: browser.search.selectedEngine - Wowhead
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 21:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89F3BF00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf7569cb8
\Driver\atapi -> 0x89f3bf00
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|þ»Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
Completion time: 2009-11-30 21:22
ComboFix-quarantined-files.txt 2009-11-30 19:22
ComboFix2.txt 2009-11-30 09:58

Pre-Run: 1,812,918,272 bytes free
Post-Run: 1,788,833,792 bytes free

- - End Of File - - 705982C68E29052CCC1F904D93D22902

**Blade81** · 2009-11-30, 22:05

Hi,

Upload c:\windows\System32\Drivers\d347prt.sys file to http://www.virustotal.com and post back the results.

Please try this:

1. Go to the c:\windows\system32\drivers folder

2. Locate the file - atapi.sys

3. Drag and move the file to Desktop

4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder

5a. If a fresh copy is regenerated, reboot the machine

5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder.

If 5a was carried out, run GMER and post back the report. Are browsers redirecting?

If 5b was carried out, let me know.

Shekkie · 2009-11-30, 22:24

Hi,

Here's the result: http://www.virustotal.com/analisis/4...2a8-1259611770

File d347prt.sys received on 2009.11.30 20:09:30 (UTC)
Current status: finished
Result: 0/41 (0.00%)

Same thing as last time, 5a happens, atapi.sys regenerates GMER still crashes with a fatal error, and the browsers are still no longer redirecting.

2009-11-26, 16:24	#1
Shekkie Junior Member Join Date: Nov 2009 Posts: 8	Browser hijack Hello, I have a problem with Firefox. Whenever I connect to the internet and start the browser(it seems to happen only on the first browser launch after connecting) and subsequently at random intervals(short of the above mentioned first-launch, I didn't manage to replicate it at will) Firefox will open a random page on bizrumour.com. I've repeatedly scanned with Avast Home, Spybot S&D and ZoneAlarm Extreme Security(trial version), found and cleaned one instance of Trojan.Buzus, but the browser hijacking still occurs(it seems having ZoneAlarm on prevents it from happening but that's not a valid solution for me as it's only the trial version) Please help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:23:05 PM, on 11/26/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\D-Tools\daemon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\No-IP\DUC20.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\CheckPoint\ZAForceField\ForceField.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\fsc\Desktop\HTscan.exe C:\Program Files\Notepad++\notepad++.exe O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{F4C1A7FD-EA04-4DCB-9007-B838008805C6}: NameServer = 82.76.253.115 82.76.253.125 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 4706 bytes

2009-11-30, 07:54	#2
Blade81 Security Expert Join Date: Oct 2006 Location: Finland Posts: 17,464	Hi, Please visit this webpage for download links, and instructions for running ComboFix tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link Remember to re-enable them afterwards. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use. Generate an Uninstall List * Open HijackThis * Click on Open Misc Tools Section * Click on Open Uninstall Manager * Click on Save list * Save it to your Desktop * Post it & fresh hjt log on your next reply. __________________ Microsoft MVP Consumer Security 2008 2009 MalWare Removal University ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please.

2009-11-30, 15:54	#5
Blade81 Security Expert Join Date: Oct 2006 Location: Finland Posts: 17,464	Hi, IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer. µTorrent ApexDC++ I'd like you to read this thread. Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Uninstall Daemon Tools for now. You can reinstall it later if needed. Please try this: 1. Go to the c:\windows\system32\drivers folder 2. Locate the file - atapi.sys 3. Drag and move the file to Desktop 4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder 5a. If a fresh copy is regenerated, reboot the machine 5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder. If 5a was carried out, run GMER and post back the report. Are browsers redirecting? If 5b was carried out, let me know. __________________ Microsoft MVP Consumer Security 2008 2009 MalWare Removal University ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please.

2009-11-30, 20:26	#7
Blade81 Security Expert Join Date: Oct 2006 Location: Finland Posts: 17,464	Hi, Please run ComboFix again and post back its report. __________________ Microsoft MVP Consumer Security 2008 2009 MalWare Removal University ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please.

2009-11-30, 22:05	#9
Blade81 Security Expert Join Date: Oct 2006 Location: Finland Posts: 17,464	Hi, Upload c:\windows\System32\Drivers\d347prt.sys file to http://www.virustotal.com and post back the results. Please try this: 1. Go to the c:\windows\system32\drivers folder 2. Locate the file - atapi.sys 3. Drag and move the file to Desktop 4. Wait 5 secs and press F5 to see if the operating system regenerated a fresh copy in c:\windows\system32\drivers folder 5a. If a fresh copy is regenerated, reboot the machine 5b. If a fresh copy ISNT regenerated, move the copy from Desktop back to c:\windows\system32\drivers folder. If 5a was carried out, run GMER and post back the report. Are browsers redirecting? If 5b was carried out, let me know. __________________ Microsoft MVP Consumer Security 2008 2009 MalWare Removal University ASAP & UNITE member since 2006 I don't help with logs thru PM. If you have problems create a thread in the forum, please.

2009-11-30, 12:12	#4
Shekkie Junior Member Join Date: Nov 2009 Posts: 8	Forgot to ask, can I enable my antivirus protection now?

2009-11-30, 18:44	#6
Shekkie Junior Member Join Date: Nov 2009 Posts: 8	Hello, Uninstalled the programs, 5a occurs(atapi.sys regenerates even after reboot) however when I try to run GMER, it crashes some 5-10 seconds after I launch it(I tried with Avast/ZoneAlarm disabled but the same thing happens). My browser doesn't seem to redirect anymore though. What to do next?

2009-11-30, 22:24	#10
Shekkie Junior Member Join Date: Nov 2009 Posts: 8	Hi, Here's the result: http://www.virustotal.com/analisis/4...2a8-1259611770 File d347prt.sys received on 2009.11.30 20:09:30 (UTC) Current status: finished Result: 0/41 (0.00%) Same thing as last time, 5a happens, atapi.sys regenerates GMER still crashes with a fatal error, and the browsers are still no longer redirecting.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode