PDA

View Full Version : Copy-book.com infection



pumbaa44
2008-11-16, 19:20
Hi, i recently had a variety of trojan type infections. After several runs through with Avast, spybot & ccleaner my system is still struggling.
Avast wont complete scans and seems to lock up. Then i noticed several times the copy-book.com seeming to be directing my urls.

Saw other threads on same subject - have downloaded HJT and log will follow. Help most appreciated, thanks.


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:22, on 16/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackCheckThis\HijackCheckThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{10075B28-D2AA-4694-9AB1-8EB4A9D6CB55}: NameServer = 85.255.112.159;85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4A36BB8-FED1-4648-93EF-9971EF48632C}: NameServer = 85.255.112.159;85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{10075B28-D2AA-4694-9AB1-8EB4A9D6CB55}: NameServer = 85.255.112.159;85.255.112.23
O17 - HKLM\System\CS2\Services\Tcpip\..\{10075B28-D2AA-4694-9AB1-8EB4A9D6CB55}: NameServer = 85.255.112.159;85.255.112.23
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7713 bytes

Blade81
2008-11-17, 08:46
Hi

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.


After that please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

pumbaa44
2008-11-18, 01:34
Hi... have tried this but sadly computer gernally says no...
Malwarebytes installed fine but never ran a full scan to completion. After some trial and error i found that when it got the "system volume information" folder it simply hung and went no further. I have 2 partitions and it does the same on both. if i select that folder alone and right click and malware scan it, it just hangs again...?

Ran and aborted before the usual hang point - resulted in 9 infections - removed. then selecting all in C: except SVI folder ran again and found 2 infections - again removed.
Both log files follow:

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 2

17/11/2008 22:15:43
mbam-log-2008-11-17 (22-15-43).txt

Scan type: Quick Scan
Objects scanned: 16652
Time elapsed: 2 hour(s), 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------------------

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 2

17/11/2008 23:18:17
mbam-log-2008-11-17 (23-18-17).txt

Scan type: Quick Scan
Objects scanned: 59435
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

-----------------------

Ran combofix - log file follows:

ComboFix 08-11-16.05 - Matt 2008-11-17 22:51:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.455 [GMT 0:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\resycled
c:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\documents and settings\Matt\Application Data\Malwarebytes
2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 20:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 20:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 20:49 . 2008-11-16 20:49 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 16:53 . 2008-11-16 16:56 <DIR> d-------- c:\program files\HijackCheckThis
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-14 23:53 . 2008-11-14 23:53 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-11 20:43 . 2008-11-11 20:44 <DIR> d-------- c:\program files\Magic Video Converter
2008-11-11 20:43 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-11-11 20:43 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-11-11 20:43 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-11-10 20:16 . 2008-11-10 20:23 <DIR> d-------- c:\program files\mkvtoavi
2008-11-01 17:26 . 2008-11-01 17:26 <DIR> d-------- c:\program files\foobar2000
2008-11-01 17:26 . 2008-11-01 17:26 <DIR> d-------- c:\documents and settings\Matt\Application Data\foobar2000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-17 22:55 4,857,888 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-16 23:13 64,424 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-16 22:18 1,409,024 ----a-w c:\windows\Internet Logs\xDB124.tmp
2008-11-16 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-16 20:49 --------- d-----w c:\program files\Java
2008-11-16 17:11 --------- d-----w c:\program files\PeerGuardian2
2008-11-15 14:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 19:56 --------- d-----w c:\documents and settings\Matt\Application Data\Vso
2008-11-11 21:37 --------- d-----w c:\documents and settings\Matt\Application Data\uTorrent
2008-11-01 17:31 60,416 ----a-w c:\windows\Internet Logs\xDB123.tmp
2008-11-01 16:19 --------- d-----w c:\program files\Symantec
2008-11-01 16:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 17:34 --------- d-----w c:\program files\VIA
2008-10-22 19:56 --------- d-----w c:\documents and settings\Matt\Application Data\Yahoo!
2008-10-22 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-22 19:47 40,960 ----a-w c:\windows\Internet Logs\xDB122.tmp
2008-10-19 09:08 18,944 ----a-w c:\windows\Internet Logs\xDB121.tmp
2008-10-19 08:01 27,262,976 ----a-w C:\VIRTPART.DAT
2008-10-19 07:56 17,408 ----a-w c:\windows\Internet Logs\xDB120.tmp
2008-10-18 16:19 18,432 ----a-w c:\windows\Internet Logs\xDB11F.tmp
2008-10-18 15:25 17,408 ----a-w c:\windows\Internet Logs\xDB11E.tmp
2008-10-10 13:14 44,032 ----a-w c:\windows\Internet Logs\xDB11D.tmp
2008-10-07 08:06 5,047,808 ----a-w c:\windows\Internet Logs\xDB11C.tmp
2008-10-06 19:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 06:14 38,912 ----a-w c:\windows\Internet Logs\xDB11B.tmp
2008-10-02 20:33 --------- d-----w c:\program files\PowerQuest
2008-10-02 16:06 --------- d-----w c:\documents and settings\Matt\Application Data\Symantec
2008-10-02 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-30 22:10 18,944 ----a-w c:\windows\Internet Logs\xDB11A.tmp
2008-09-30 21:23 17,408 ----a-w c:\windows\Internet Logs\xDB119.tmp
2008-09-30 20:49 17,920 ----a-w c:\windows\Internet Logs\xDB118.tmp
2008-09-30 20:42 17,408 ----a-w c:\windows\Internet Logs\xDB117.tmp
2008-09-30 20:37 21,504 ----a-w c:\windows\Internet Logs\xDB116.tmp
2008-09-30 20:37 --------- d-----w c:\program files\AVerTV DVB-T
2008-09-21 20:28 32,256 ----a-w c:\windows\Internet Logs\xDB115.tmp
2008-09-13 17:36 79,360 ----a-w c:\windows\Internet Logs\xDB114.tmp
2008-09-05 18:46 21,504 ----a-w c:\windows\Internet Logs\xDB113.tmp
2008-09-05 18:33 35,328 ----a-w c:\windows\Internet Logs\xDB112.tmp
2008-09-05 16:59 22,528 ----a-w c:\windows\Internet Logs\xDB111.tmp
2008-09-05 16:53 25,088 ----a-w c:\windows\Internet Logs\xDB110.tmp
2008-09-05 16:35 24,064 ----a-w c:\windows\Internet Logs\xDB10F.tmp
2008-09-05 16:20 21,504 ----a-w c:\windows\Internet Logs\xDB10E.tmp
2008-09-04 22:34 40,448 ----a-w c:\windows\Internet Logs\xDB10D.tmp
2008-08-30 13:15 1,402,880 ----a-w c:\windows\Internet Logs\xDB10C.tmp
2008-08-28 21:57 408,064 ----a-w c:\windows\Internet Logs\xDB10B.tmp
2008-08-28 19:47 4,997,120 ----a-w c:\windows\Internet Logs\xDB10A.tmp
2008-08-28 19:47 2,807,808 ----a-w c:\windows\Internet Logs\xDB109.tmp
2008-08-24 23:07 2,712,064 ----a-w c:\windows\Internet Logs\xDB108.tmp
2008-08-23 12:05 4,994,560 ----a-w c:\windows\Internet Logs\xDB107.tmp
2008-08-23 12:05 2,895,360 ----a-w c:\windows\Internet Logs\xDB106.tmp
2008-08-20 12:07 78,848 ----a-w c:\windows\Internet Logs\xDB105.tmp
2007-02-05 22:05 87,608 -c--a-w c:\documents and settings\Matt\Application Data\ezpinst.exe
2007-02-05 22:05 47,360 -c--a-w c:\documents and settings\Matt\Application Data\pcouffin.sys
2006-02-25 12:37 17,920 -c--a-w c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"LWBMOUSE"="c:\program files\iWare\iWare Mouse\3.2\MOUSE32A.EXE" [2002-05-24 357376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA101 Configuration Utility .lnk - c:\program files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe [2008-07-03 163916]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"ehTray"=c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-05 20560]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2005-06-07 17149]
R3 NETGEAR NETGEAR_MA101_USB_Adapter(R);NETGEAR NETGEAR_MA101_USB_Adapter(R) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012kr.sys [2008-07-03 93312]
S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);c:\windows\system32\drivers\attscap.sys [2005-06-07 18048]
S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;c:\windows\system32\drivers\atvcap.sys [2005-06-07 56320]
S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;c:\windows\system32\drivers\ATXBAR.sys [2005-06-07 8576]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2006-12-08 12800]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-14 27904]
S3 NETGEAR NETGEAR MA101 USB Adapter(R);NETGEAR NETGEAR MA101 USB Adapter(R) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012kr.sys [2008-07-03 93312]
S4 PRTGService;PRTG Service;c:\program files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85826661-74e3-11db-bed9-00095b57065e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\447hhi1d.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 22:55:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo RX420 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"??l???????T?????????o?????????l?????????????????????o?????????J?A~????????l????????????????cE~????????l???@????????????????????? ???????A~??Z???????????A~???????????????????????????????|??????????Z?????????????@???`cE~??A~-?B~?? ??????????? ?????????&?????C?$???????????4????YB~?? ?????????????P???????????????T????YB~????P???????{S??????????????X?C~????P???????j?C~P???????8???????????`??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-17 22:56:21
ComboFix-quarantined-files.txt 2008-11-17 22:56:18

Pre-Run: 6,380,994,560 bytes free
Post-Run: 6,527,942,656 bytes free

179


------------------

ran HJT - log file follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:20:06, on 17/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackCheckThis\HijackCheckThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CS2\Services\Tcpip\..\{10075B28-D2AA-4694-9AB1-8EB4A9D6CB55}: NameServer = 85.255.112.159;85.255.112.23
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7055 bytes


---------

I havent run malwarebytes on my larger partion - can do that if need be. (C = 20Gb, E = 480Gb)
note - just before posting htis i checked google and there didnt seem to be the copy-book redirection i have noticed in the status bar but system still seems to be running below norm...

Thanks

Blade81
2008-11-18, 09:09
Hi

Let's reset your system restore to see if it helps MBAM run through without hanging.


1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


After that run MBAM and include all partitions to the scan. Post back its report and continue with steps below.

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

c:\documents and settings\Matt\Application Data\uTorrent
c:\Program Files\uTorrent

Empty Recycle Bin.

After that:



Start hjt, do a system scan, check (if found):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O17 - HKLM\System\CS2\Services\Tcpip\..\{10075B28-D2AA-4694-9AB1-8EB4A9D6CB55}: NameServer = 85.255.112.159;85.255.112.23

Close browsers and fix checked.



Open notepad and copy/paste the text in the quotebox below into it:



Folder::
c:\documents and settings\Matt\Application Data\uTorrent
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.


PS. If you have a router login to it and check its primary and secondary DNS server ip addresses, please.

pumbaa44
2008-11-20, 01:14
ok tried that but get errors on selecting system restore tab...
got following from event viewer:


Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 19/11/2008
Time: 23:09:45
User: N/A
Computer: XCUBE
Description:
Faulting application rundll32.exe, version 5.1.2600.2180, faulting module srrstr.dll, version 5.1.2600.2180, fault address 0x000099b2.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 72 75 6e ure run
0018: 64 6c 6c 33 32 2e 65 78 dll32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 32 31 38 30 20 00.2180
0030: 69 6e 20 73 72 72 73 74 in srrst
0038: 72 2e 64 6c 6c 20 35 2e r.dll 5.
0040: 31 2e 32 36 30 30 2e 32 1.2600.2
0048: 31 38 30 20 61 74 20 6f 180 at o
0050: 66 66 73 65 74 20 30 30 ffset 00
0058: 30 30 39 39 62 32 0d 0a 0099b2..

and

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 19/11/2008
Time: 23:09:50
User: N/A
Computer: XCUBE
Description:
Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 64 72 77 ure drw
0018: 74 73 6e 33 32 2e 65 78 tsn32.ex
0020: 65 20 35 2e 31 2e 32 36 e 5.1.26
0028: 30 30 2e 30 20 69 6e 20 00.0 in
0030: 64 62 67 68 65 6c 70 2e dbghelp.
0038: 64 6c 6c 20 35 2e 31 2e dll 5.1.
0040: 32 36 30 30 2e 32 31 38 2600.218
0048: 30 20 61 74 20 6f 66 66 0 at off
0050: 73 65 74 20 30 30 30 31 set 0001
0058: 32 39 35 64 295d

Mbam still same, utorrent removed...

shall i try the other stuff?

pumbaa44
2008-11-20, 01:15
sorry, should have said system properties locks up after those 2 errors.
thanks

pumbaa44
2008-11-20, 01:20
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Date: 19/11/2008
Time: 23:15:07
User: N/A
Computer: XCUBE
Description:
The System Restore Service service terminated with the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


K online scanner wont run ... msg of "srarting aplet has failed. please go online to use this program".. am online...so...?

shall i just take an axe to the hdd?

pumbaa44
2008-11-20, 10:51
Things are starting to play ball...

1st HJT log.
R0 (only the one as you had typed) present and fixed, O17 not there.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:11:21, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Matt\Local Settings\Temp\jkos-Matt\binaries\ScanningProcess.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\HijackCheckThis\HijackCheckThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.detoate.home.ro
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: &Search - ?p=ZK
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCLEPCI - Pinnacle Systems GmbH - C:\WINDOWS\system32\drivers\pclepci.sys
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7058 bytes


Combofix ran ok

ComboFix 08-11-19.06 - Matt 2008-11-20 8:18:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.538 [GMT 0:00]
Running from: c:\documents and settings\Matt\Desktop\Hijacked\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\Hijacked\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\iamfamous.dll
E:\resycled
e:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\documents and settings\Matt\Application Data\Malwarebytes
2008-11-17 20:32 . 2008-11-17 20:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 20:32 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 20:32 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-16 20:49 . 2008-11-16 20:49 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-16 16:53 . 2008-11-20 08:12 <DIR> d-------- c:\program files\HijackCheckThis
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-15 13:50 . 2008-11-15 13:50 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-14 23:53 . 2008-11-14 23:53 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-11 20:43 . 2008-11-11 20:44 <DIR> d-------- c:\program files\Magic Video Converter
2008-11-11 20:43 . 2004-05-26 21:37 719,872 --a------ c:\windows\system32\devil.dll
2008-11-11 20:43 . 2003-03-19 11:03 544,768 --a------ c:\windows\system32\msvcr71d.dll
2008-11-11 20:43 . 2006-09-16 19:44 314,368 --a------ c:\windows\system32\avisynth.dll
2008-11-10 20:16 . 2008-11-10 20:23 <DIR> d-------- c:\program files\mkvtoavi
2008-11-01 17:26 . 2008-11-01 17:26 <DIR> d-------- c:\program files\foobar2000
2008-11-01 17:26 . 2008-11-01 17:26 <DIR> d-------- c:\documents and settings\Matt\Application Data\foobar2000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 23:27 5,019,680 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-19 19:32 66,104 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-18 08:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-17 23:18 --------- d-----w c:\program files\MSN Messenger
2008-11-16 22:18 1,409,024 ----a-w c:\windows\Internet Logs\xDB124.tmp
2008-11-16 20:49 --------- d-----w c:\program files\Java
2008-11-16 17:11 --------- d-----w c:\program files\PeerGuardian2
2008-11-15 14:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 19:56 --------- d-----w c:\documents and settings\Matt\Application Data\Vso
2008-11-01 17:31 60,416 ----a-w c:\windows\Internet Logs\xDB123.tmp
2008-11-01 16:19 --------- d-----w c:\program files\Symantec
2008-11-01 16:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-24 17:34 --------- d-----w c:\program files\VIA
2008-10-22 19:56 --------- d-----w c:\documents and settings\Matt\Application Data\Yahoo!
2008-10-22 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-22 19:47 40,960 ----a-w c:\windows\Internet Logs\xDB122.tmp
2008-10-19 09:08 18,944 ----a-w c:\windows\Internet Logs\xDB121.tmp
2008-10-19 08:01 27,262,976 ----a-w C:\VIRTPART.DAT
2008-10-19 07:56 17,408 ----a-w c:\windows\Internet Logs\xDB120.tmp
2008-10-18 16:19 18,432 ----a-w c:\windows\Internet Logs\xDB11F.tmp
2008-10-18 15:25 17,408 ----a-w c:\windows\Internet Logs\xDB11E.tmp
2008-10-10 13:14 44,032 ----a-w c:\windows\Internet Logs\xDB11D.tmp
2008-10-07 08:06 5,047,808 ----a-w c:\windows\Internet Logs\xDB11C.tmp
2008-10-06 19:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-03 06:14 38,912 ----a-w c:\windows\Internet Logs\xDB11B.tmp
2008-10-02 20:33 --------- d-----w c:\program files\PowerQuest
2008-10-02 16:06 --------- d-----w c:\documents and settings\Matt\Application Data\Symantec
2008-10-02 16:06 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-09-30 22:10 18,944 ----a-w c:\windows\Internet Logs\xDB11A.tmp
2008-09-30 21:23 17,408 ----a-w c:\windows\Internet Logs\xDB119.tmp
2008-09-30 20:49 17,920 ----a-w c:\windows\Internet Logs\xDB118.tmp
2008-09-30 20:42 17,408 ----a-w c:\windows\Internet Logs\xDB117.tmp
2008-09-30 20:37 21,504 ----a-w c:\windows\Internet Logs\xDB116.tmp
2008-09-30 20:37 --------- d-----w c:\program files\AVerTV DVB-T
2008-09-21 20:28 32,256 ----a-w c:\windows\Internet Logs\xDB115.tmp
2008-09-13 17:36 79,360 ----a-w c:\windows\Internet Logs\xDB114.tmp
2008-09-05 18:46 21,504 ----a-w c:\windows\Internet Logs\xDB113.tmp
2008-09-05 18:33 35,328 ----a-w c:\windows\Internet Logs\xDB112.tmp
2008-09-05 16:59 22,528 ----a-w c:\windows\Internet Logs\xDB111.tmp
2008-09-05 16:53 25,088 ----a-w c:\windows\Internet Logs\xDB110.tmp
2008-09-05 16:35 24,064 ----a-w c:\windows\Internet Logs\xDB10F.tmp
2008-09-05 16:20 21,504 ----a-w c:\windows\Internet Logs\xDB10E.tmp
2008-09-04 22:34 40,448 ----a-w c:\windows\Internet Logs\xDB10D.tmp
2008-08-30 13:15 1,402,880 ----a-w c:\windows\Internet Logs\xDB10C.tmp
2008-08-28 21:57 408,064 ----a-w c:\windows\Internet Logs\xDB10B.tmp
2008-08-28 19:47 4,997,120 ----a-w c:\windows\Internet Logs\xDB10A.tmp
2008-08-28 19:47 2,807,808 ----a-w c:\windows\Internet Logs\xDB109.tmp
2008-08-24 23:07 2,712,064 ----a-w c:\windows\Internet Logs\xDB108.tmp
2008-08-23 12:05 4,994,560 ----a-w c:\windows\Internet Logs\xDB107.tmp
2008-08-23 12:05 2,895,360 ----a-w c:\windows\Internet Logs\xDB106.tmp
2008-08-20 12:07 78,848 ----a-w c:\windows\Internet Logs\xDB105.tmp
2007-02-05 22:05 87,608 -c--a-w c:\documents and settings\Matt\Application Data\ezpinst.exe
2007-02-05 22:05 47,360 -c--a-w c:\documents and settings\Matt\Application Data\pcouffin.sys
2006-02-25 12:37 17,920 -c--a-w c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-11-17_22.55.41.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-17 20:18:45 62,344 ----a-w c:\windows\system32\perfc009.dat
+ 2008-11-19 19:39:40 62,344 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-17 20:18:45 401,064 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-19 19:39:40 401,064 ----a-w c:\windows\system32\perfh009.dat
+ 2008-11-19 19:35:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_470.dat
+ 2008-11-19 19:33:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"LWBMOUSE"="c:\program files\iWare\iWare Mouse\3.2\MOUSE32A.EXE" [2002-05-24 357376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA101 Configuration Utility .lnk - c:\program files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe [2008-07-03 163916]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\MP3POW~1\CLMP3Enc.ACM
"vidc.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install
"ehTray"=c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\InterVideo\\DVD6\\WinDVD.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-05 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-04-05 20560]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\windows\system32\DNINDIS5.SYS [2005-06-07 17149]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-17 38496]
R3 NETGEAR NETGEAR_MA101_USB_Adapter(R);NETGEAR NETGEAR_MA101_USB_Adapter(R) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012kr.sys [2008-07-03 93312]
S2 ATTSCAP;AVerMedia, WDM MPEG-2 TS Capture (DVBT);c:\windows\system32\drivers\attscap.sys [2005-06-07 18048]
S2 ATVCAP;AVerMedia, DVB-T WDM Video Capture;c:\windows\system32\drivers\atvcap.sys [2005-06-07 56320]
S2 ATXBAR;AVerMedia, DVB-T WDM Crossbar;c:\windows\system32\drivers\ATXBAR.sys [2005-06-07 8576]
S3 Amps2prt;A4Tech PS/2 Port Mouse Driver;c:\windows\system32\DRIVERS\Amps2prt.sys [2006-12-08 12800]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-14 27904]
S3 NETGEAR NETGEAR MA101 USB Adapter(R);NETGEAR NETGEAR MA101 USB Adapter(R) Service for NETGEAR MA101 USB Adapter;c:\windows\system32\DRIVERS\ma1012kr.sys [2008-07-03 93312]
S4 PRTGService;PRTG Service;c:\program files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85826661-74e3-11db-bed9-00095b57065e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{969B3B70-8765-11D5-9809-0050BACBF861}]
rundll32.exe advpack.dll,LaunchINFSection c:\program files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 08:20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo RX420 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /M "Stylus Photo RX420" /EF "HKCU"??l???????T?????????o?????????l?????????????????????o?????????J?A~????????l????????????????cE~????????l???@????????????????????? ???????A~??Z???????????A~???????????????????????????????|??????????Z?????????????@???`cE~??A~-?B~?? ??????????? ?????????&?????C?$???????????4????YB~?? ?????????????P???????????????T????YB~????P???????{S??????????????X?C~????P???????j?C~P???????8???????????`??

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 8:22:02
ComboFix-quarantined-files.txt 2008-11-20 08:21:58
ComboFix2.txt 2008-11-17 22:56:24

Pre-Run: 6,347,939,840 bytes free
Post-Run: 6,383,312,896 bytes free

184


ATF done.

KAS seems to start ok without the error msg too. will post log later

pumbaa44
2008-11-20, 10:55
Do you want me to post DNS addresses from router?

btw - there were 3 dns zones setup in zonealarm as trusted. hadnt noticed this before so removed them as it seemed suspicious. I did this about a weekago before starting this thread.

Blade81
2008-11-20, 21:19
Hi

Let's check system restore issue at this point (make sure you have XP media available, it may be needed):

1. Click Start->Run->Type "C:\windows\inf" (without the quotes)
2. Look for a file named: SR.INF and RIGHT click on it
3. Choose "Install".
4. In the Files Needed dialog box, click Browse. Locate the Sr.sys file in the i386 folder of the Windows XP CD, (or a good option for those without a Windows XP CD would be to browse the computer itself in the “C\i386” folder) click the “Sr.sys” file, and then click OK.
Follow the prompts, Reboot and System Restore should be ready to use.


Check also the router DNS IP address settings.

pumbaa44
2008-11-21, 00:04
OK sys res working now.
ran MBAM and agin locked up partway through full scan... closed and ran a quick scan which pulled up 2 items - fixed. log follows:

Malwarebytes' Anti-Malware 1.30
Database version: 1405
Windows 5.1.2600 Service Pack 2

20/11/2008 21:08:37
mbam-log-2008-11-20 (21-08-37).txt

Scan type: Quick Scan
Objects scanned: 53205
Time elapsed: 3 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ubervid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Ran full scan and locked up at same file
"C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\iamfamous.dll.vir"


Checked dns addresses all point at blueyonder (Virgin) which is my isp.

Blade81
2008-11-21, 07:57
Hi

Did you reset the system restore too? Please try defragging your hard drive and after that run scandisk by this (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/kbtip.mspx) set of instructions to see if those help with the hanging issue.

Blade81
2008-11-28, 17:39
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.