View Full Version : Firefox Crashing, Google Getting Redirected
Annealator
2009-04-14, 03:15
Recently Firefox has begun to crash intermittently. Also when clicking on the results of a Google search the browser will redirect to a random site. Lastly my AVG Free anti-virus will no longer connect to the update site.
I have tried running a full scan with AVG. It comes up clean, as does an AdAware scan.
After discovering the problem I added and updated Spybot, Spywareblaster, and Malwarebytes. All scans come back clean.
Please help. I have backed up my registry just prior to this post.
System before infection...
OS: Windows XP with SP3
Firewall: ZoneAlarm 8.0.298.000
Anti-virus: AVG Free 8.5.287, updated 4-11-2009
AdAware (earlier version, approx 3 months old)
Programs added after infection...
AdAware 8.0.3
Spybot 1.6.2
SpywareBlaster 4.2
Malwarebytes 1.36
ERUNT 1.1j
HijackThis 2.0.2
My HJT log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:33 PM, on 4/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5313 bytes
Hi Annealator
Does Google redirect in both Firefox and IE?
Annealator
2009-04-16, 04:01
Yes. It doesn't redirect everytime. Frequency seems to be about equal with IE and with Firefox.
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan.
Annealator
2009-04-16, 22:26
Here is the log from Gmer.
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-16 14:19:42
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAE106FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAE103C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAE11E170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAE107580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xAE11B900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xAE11BB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xAE11FB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAE107670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAE104210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAE11E9F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAE11E7A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xAE11B280]
SSDT spzn.sys ZwEnumerateKey [0xF72F9CA2]
SSDT spzn.sys ZwEnumerateValueKey [0xF72FA030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAE11EF10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAE11EF90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAE104070]
SSDT spzn.sys ZwOpenKey [0xF72DB0C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xAE11D180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xAE11CF40]
SSDT spzn.sys ZwQueryKey [0xF72FA108]
SSDT spzn.sys ZwQueryValueKey [0xF72F9F88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAE11F6F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAE11F150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAE106BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAE11F540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xAE107190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAE104440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAE11E4E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xAE11C200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xAE11C080]
INT 0x62 ? 86FD8BF8
INT 0x63 ? 86DCFF00
INT 0x73 ? 86FD8BF8
INT 0x73 ? 86FD8BF8
INT 0x73 ? 86DCFF00
INT 0x73 ? 86FD8BF8
INT 0x83 ? 86DCFF00
INT 0xB4 ? 86DCFF00
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 12 Bytes [80, 75, 10, AE, 00, B9, 11, ...]
? spzn.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6C658AC 5 Bytes JMP 86DCF4E0
.text afgzogef.SYS F6BC5386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text afgzogef.SYS F6BC53AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text afgzogef.SYS F6BC53C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text afgzogef.SYS F6BC53C9 1 Byte [2E]
.text afgzogef.SYS F6BC53C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\spoolsv.exe[224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\spoolsv.exe[224] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\spoolsv.exe[224] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\spoolsv.exe[224] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\spoolsv.exe[224] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\spoolsv.exe[224] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\PROGRA~1\AVG\AVG8\avgnsx.exe[676] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\winlogon.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\winlogon.exe[832] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\winlogon.exe[832] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\winlogon.exe[832] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\winlogon.exe[832] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\winlogon.exe[832] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1080] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1080] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1080] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1080] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1080] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1156] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1220] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1220] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1220] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1220] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1220] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\System32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\System32\svchost.exe[1276] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\System32\svchost.exe[1276] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\System32\svchost.exe[1276] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\System32\svchost.exe[1276] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\System32\svchost.exe[1276] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\system32\svchost.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\svchost.exe[1548] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\svchost.exe[1548] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\svchost.exe[1548] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\svchost.exe[1548] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\svchost.exe[1548] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\System32\svchost.exe[1768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\System32\svchost.exe[1768] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\System32\svchost.exe[1768] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\System32\svchost.exe[1768] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\System32\svchost.exe[1768] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\System32\svchost.exe[1768] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10053658
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100535A0
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10052E84
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100526A0
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10052624
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[1776] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10053554
.text C:\WINDOWS\System32\alg.exe[3332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\System32\alg.exe[3332] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\System32\alg.exe[3332] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\System32\alg.exe[3332] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\System32\alg.exe[3332] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\System32\alg.exe[3332] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\WINDOWS\RTHDCPL.EXE[3484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\RTHDCPL.EXE[3484] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\RTHDCPL.EXE[3484] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\RTHDCPL.EXE[3484] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\RTHDCPL.EXE[3484] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\RTHDCPL.EXE[3484] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10013658
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 100135A0
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012E84
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100126A0
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012624
.text C:\Program Files\iTunes\iTunesHelper.exe[3588] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10013554
.text C:\WINDOWS\system32\ctfmon.exe[3696] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003658
.text C:\WINDOWS\system32\ctfmon.exe[3696] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 100035A0
.text C:\WINDOWS\system32\ctfmon.exe[3696] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10002E84
.text C:\WINDOWS\system32\ctfmon.exe[3696] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100026A0
.text C:\WINDOWS\system32\ctfmon.exe[3696] ws2_32.dll!recv 71AB676F 5 Bytes JMP 10002624
.text C:\WINDOWS\system32\ctfmon.exe[3696] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003554
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72DC040] spzn.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72DC13C] spzn.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72DC0BE] spzn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72DC7FC] spzn.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72DC6D2] spzn.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72EC048] spzn.sys
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\afgzogef.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip6.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AE10BB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AE109E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AE10C260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AE10B930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86FD71F8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBPDO-0 86D891F8
Device \Driver\PCI_PNP7140 \Device\00000044 spzn.sys
Device \Driver\PCI_PNP7140 \Device\00000044 spzn.sys
Device \Driver\usbuhci \Device\USBPDO-1 86D891F8
Device \Driver\usbuhci \Device\USBPDO-2 86D891F8
Device \Driver\usbuhci \Device\USBPDO-3 86D891F8
Device \Driver\usbehci \Device\USBPDO-4 86D5C1F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
Device \Driver\Ftdisk \Device\HarddiskVolume1 86F691F8
Device \Driver\Cdrom \Device\CdRom0 86D2C1F8
Device \Driver\Cdrom \Device\CdRom1 86D2C1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86CBE1F8
Device \Driver\NetBT \Device\NetbiosSmb 86CBE1F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
Device \Driver\NetBT \Device\NetBT_Tcpip_{5222A0EE-E0CC-4D94-A989-28B414283E8E} 86CBE1F8
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
Device \Driver\usbuhci \Device\USBFDO-0 86D891F8
Device \Driver\usbuhci \Device\USBFDO-1 86D891F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 869E3500
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbuhci \Device\USBFDO-2 86D891F8
Device \Driver\sptd \Device\3678077140 spzn.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 869E3500
Device \Driver\usbuhci \Device\USBFDO-3 86D891F8
Device \Driver\usbehci \Device\USBFDO-4 86D5C1F8
Device \Driver\Ftdisk \Device\FtControl 86F691F8
Device \Driver\afgzogef \Device\Scsi\afgzogef1 86CE81F8
Device \Driver\afgzogef \Device\Scsi\afgzogef1Port3Path0Target0Lun0 86CE81F8
Device \FileSystem\Cdfs \Cdfs 86DE0500
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF7 0xA8 0x8C 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0A 0x05 0x03 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB8 0x28 0xF6 0x9D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF7 0xA8 0x8C 0x07 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0A 0x05 0x03 0xBF ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB8 0x28 0xF6 0x9D ...
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Annealator
2009-04-16, 23:43
After running Gmer previously I noted that AVG could now connect to its update site, so I updated it.
Ran Combofix. Had some strange behaviour while doing so. Not sure if it is relevant but here it is.
1. While running Combofix, during or immediately after backing up the registry backup Windows produced a message that "pv.cfexe has encountered a problem and needs to close". I clicked 'Don't Send'. Combofix continued to run with no apparent problems.
2. Immediately after the appearance of Combofix's "Scanning for Infected Files" window appeared but before completion of Stage 1, the same Windows error message appeared. I again clicked 'Don't Send'. Combofix continued to run with no apparent problems.
3. After the automatic reboot my ZoneAlarm and AVG re-started automatically. I manually disabled them while Combofix was producing its log. There were no apparent ill effects from this.
Combo fix Log...
ComboFix 09-04-17.01 - User 04/16/2009 15:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.560 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\Combofix\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.
2009-04-16 00:58 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 00:58 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 00:58 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 00:58 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 00:58 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 00:58 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 00:58 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 00:58 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 00:58 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 00:56 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 00:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 00:56 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 02:36 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 02:36 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\RENA1.tmp
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\RENA0.tmp
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\REN9F.tmp
2009-04-10 03:52 . 2009-04-10 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 03:52 . 2009-04-11 02:08 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-10 03:51 . 2009-04-10 03:51 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-10 03:51 . 2009-04-10 03:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 02:20 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-10 02:18 . 2009-04-10 02:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 01:43 . 2009-04-10 01:43 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 00:12 . 2008-06-04 02:36 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 00:02 . 2008-09-21 20:51 -------- d-----w c:\program files\Vuze
2009-04-13 23:46 . 2009-04-13 23:46 -------- d-----w c:\program files\Trend Micro
2009-04-13 23:44 . 2009-04-13 23:44 -------- d-----w c:\program files\ERUNT
2009-04-11 02:36 . 2009-04-11 02:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 02:24 . 2009-04-11 02:24 -------- d-----w c:\program files\SpywareBlaster
2009-04-11 02:23 . 2008-09-21 20:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 02:22 . 2008-09-21 20:30 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 02:07 . 2009-04-10 03:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\program files\iTunes
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\program files\iPod
2009-04-10 23:05 . 2008-11-06 17:51 -------- d-----w c:\program files\Common Files\Apple
2009-04-10 23:03 . 2009-04-10 23:03 -------- d-----w c:\program files\Java
2009-04-10 20:31 . 2009-04-10 03:45 12304 ----a-w C:\JavaRa.log
2009-04-10 03:51 . 2008-12-25 00:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 02:18 . 2009-04-10 02:18 -------- d-----w c:\program files\Lavasoft
2009-04-10 01:43 . 2008-11-06 22:39 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-10 01:43 . 2008-11-06 22:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-10 01:42 . 2008-09-21 20:06 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 23:19 . 2009-04-01 22:49 3142972 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-05 13:23 . 2008-09-21 20:57 -------- d-----w c:\documents and settings\User\Application Data\Azureus
2009-04-01 12:04 . 2009-04-01 22:49 1712128 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-03-30 23:16 . 2008-09-21 19:41 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-19 21:32 . 2008-11-06 17:53 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 23:14 . 2009-03-15 23:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:13 . 2009-03-15 23:13 -------- d-----w c:\program files\Bonjour
2009-03-15 23:12 . 2009-03-15 23:12 -------- d-----w c:\program files\QuickTime
2009-03-07 20:30 . 2008-06-04 02:15 -------- d-----w c:\documents and settings\User\Application Data\dvdcss
2009-03-07 19:42 . 2009-03-07 19:24 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-07 15:42 . 2008-06-17 04:25 -------- d-----w c:\program files\GoldWave
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 04:59 . 2009-03-15 23:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 04:59 . 2008-11-06 17:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 05:10 . 2008-12-07 03:55 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-14 17:37 . 2009-02-14 17:39 1608192 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-09 12:10 . 2006-02-28 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-02-28 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-02-28 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-24 02:04 . 2008-05-23 02:15 19416 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-23 04:50 . 2008-05-23 04:50 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
2007-02-02 00:02 . 2007-02-02 00:02 313344 ----a-w c:\program files\hjsplit.exe
2000-12-15 20:55 . 2008-06-04 01:56 790528 ----a-w c:\program files\PHOTOED.EXE
2008-09-23 00:36 . 2008-09-23 00:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-10 1932568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16859136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-10 01:43 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2001-08-17 96256]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-10 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-10 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-10 298264]
S2 RGFILERW;RGFILERW;c:\windows\system32\Drivers\RGFILERW.SYS [2005-10-15 3984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
2009-04-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-04-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-11 20:31]
2008-09-21 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-04-11 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4odu8pmx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4odu8pmx.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 15:31
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-16 15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 20:34
Pre-Run: 479,792,300,032 bytes free
Post-Run: 480,092,684,288 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
215 --- E O F --- 2009-04-16 04:12
I then ran HJT again. Log is below...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:12 PM, on 4/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5460 bytes
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Annealator
2009-04-18, 01:46
Here are the contents you requested. I appreciate all the help. It has definitely been moving in the right direction. In the last day or so I haven't had any Google redirections or problems updating AVG. Firefox still crashes once in a while but less frequently than before.
Uninstall List...
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Bonjour
Catalyst Control Center - Branding
Eraser 5.3
ERUNT 1.1j
GoldWave v5.25
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Age of Empires
Microsoft Age of Empires Expansion
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
Natural Color Pro
Network Magic
OnSpec Regen
OpenOffice.org Installer 1.0
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SimCity 3000
Spybot - Search & Destroy
SpywareBlaster 4.2
Starcraft
Tweak UI
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC 9.0 Runtime
VideoLAN VLC media player 0.8.6f
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Windows Resource Kit Tools
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm
Open notepad and copy/paste the text in the codebox below into it:
Folder::
c:\program files\Vuze
c:\documents and settings\User\Application Data\Azureus
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Annealator
2009-04-18, 22:38
Did as you instructed. Here are the logs.
ComboFix 09-04-19.01 - User 04/18/2009 14:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.567 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\Combofix\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\User\Application Data\Azureus
c:\documents and settings\User\Application Data\Azureus\.certs
c:\documents and settings\User\Application Data\Azureus\.keystore
c:\documents and settings\User\Application Data\Azureus\.lock
c:\documents and settings\User\Application Data\Azureus\active\cache.dat
c:\documents and settings\User\Application Data\Azureus\azureus.config
c:\documents and settings\User\Application Data\Azureus\azureus.config.bak
c:\documents and settings\User\Application Data\Azureus\azureus.statistics
c:\documents and settings\User\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\User\Application Data\Azureus\banips.config
c:\documents and settings\User\Application Data\Azureus\banips.config.bak
c:\documents and settings\User\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\User\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\User\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\User\Application Data\Azureus\dht\general.dat
c:\documents and settings\User\Application Data\Azureus\dht\net3\addresses.dat
c:\documents and settings\User\Application Data\Azureus\dht\net3\contacts.dat
c:\documents and settings\User\Application Data\Azureus\dht\net3\diverse.dat
c:\documents and settings\User\Application Data\Azureus\dht\net3\version.dat
c:\documents and settings\User\Application Data\Azureus\dht\version.dat
c:\documents and settings\User\Application Data\Azureus\downloads.config
c:\documents and settings\User\Application Data\Azureus\downloads.config.bak
c:\documents and settings\User\Application Data\Azureus\filters.config
c:\documents and settings\User\Application Data\Azureus\friends.config
c:\documents and settings\User\Application Data\Azureus\friends.config.bak
c:\documents and settings\User\Application Data\Azureus\ipfilter.cache
c:\documents and settings\User\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\User\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\User\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\User\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\User\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\User\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\User\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\User\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_alerts_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_AutoSpeed_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_AutoSpeedSearchHistory_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_clientid_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_debug_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_debug_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_MetaSearch_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_NetStatus_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_seltrace_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_seltrace_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_SpeedMan_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_thread_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_thread_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_v3.ads_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_v3.CMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_v3.Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238455207734_v3.PMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_alerts_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_AutoSpeed_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_AutoSpeedSearchHistory_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_clientid_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_debug_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_debug_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_MetaSearch_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_NetStatus_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_seltrace_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_seltrace_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_SpeedMan_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_thread_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_thread_2.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_v3.ads_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_v3.CMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_v3.Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\save\1238626384188_v3.PMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\User\Application Data\Azureus\logs\seltrace_2.log
c:\documents and settings\User\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\User\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\User\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\User\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\User\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\User\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\User\Application Data\Azureus\metasearch.config
c:\documents and settings\User\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\User\Application Data\Azureus\net\pm_6327.dat
c:\documents and settings\User\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\User\Application Data\Azureus\tables.config
c:\documents and settings\User\Application Data\Azureus\tables.config.bak
c:\documents and settings\User\Application Data\Azureus\timingstats.dat
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58985.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58986.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58987.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58988.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58989.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58990.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58991.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58992.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58993.tmp
c:\documents and settings\User\Application Data\Azureus\tmp\AZU58994.tmp
c:\documents and settings\User\Application Data\Azureus\torrents\AZU12800.tmp
c:\documents and settings\User\Application Data\Azureus\tracker.config
c:\documents and settings\User\Application Data\Azureus\tracker.config.bak
c:\documents and settings\User\Application Data\Azureus\unsentdata.config
c:\documents and settings\User\Application Data\Azureus\update.log
c:\documents and settings\User\Application Data\Azureus\update.properties
c:\documents and settings\User\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\User\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\User\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\User\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Vuze
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.30.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.32.zip
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.jar
c:\program files\Vuze\plugins\azemp\azemp_2.0.34.zip
c:\program files\Vuze\plugins\azemp\azmplay.exe.bak
c:\program files\Vuze\plugins\azemp\cp1250-a.raw.bak
c:\program files\Vuze\plugins\azemp\cp1250-b.raw.bak
c:\program files\Vuze\plugins\azemp\font.desc.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-a.raw.bak
c:\program files\Vuze\plugins\azemp\osd-mplayer-b.raw.bak
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.30
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.32
c:\program files\Vuze\plugins\azemp\plugin.properties_2.0.34
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.jar
c:\program files\Vuze\plugins\azupnpav\azupnpav_0.2.5.zip
c:\program files\Vuze\plugins\azupnpav\plugin.properties_0.2.5
.
((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.
2009-04-16 00:58 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 00:58 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 00:58 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 00:58 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 00:58 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 00:58 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 00:58 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 00:58 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 00:58 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 00:56 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 00:56 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 00:56 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-11 02:36 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-11 02:36 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\RENA1.tmp
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\RENA0.tmp
2009-04-10 20:32 . 2009-04-10 20:32 0 ----a-w c:\windows\system32\REN9F.tmp
2009-04-10 03:52 . 2009-04-10 03:52 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-10 03:52 . 2009-04-11 02:08 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-10 03:51 . 2009-04-10 03:51 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-10 03:51 . 2009-04-10 03:51 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-10 02:20 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-10 02:18 . 2009-04-10 02:18 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-10 01:43 . 2009-04-10 01:43 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 00:12 . 2008-06-04 02:36 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-13 23:46 . 2009-04-13 23:46 -------- d-----w c:\program files\Trend Micro
2009-04-13 23:44 . 2009-04-13 23:44 -------- d-----w c:\program files\ERUNT
2009-04-11 02:36 . 2009-04-11 02:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-11 02:24 . 2009-04-11 02:24 -------- d-----w c:\program files\SpywareBlaster
2009-04-11 02:23 . 2008-09-21 20:30 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-11 02:22 . 2008-09-21 20:30 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-11 02:07 . 2009-04-10 03:52 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\program files\iTunes
2009-04-10 23:05 . 2009-04-10 23:05 -------- d-----w c:\program files\iPod
2009-04-10 23:05 . 2008-11-06 17:51 -------- d-----w c:\program files\Common Files\Apple
2009-04-10 23:03 . 2009-04-10 23:03 -------- d-----w c:\program files\Java
2009-04-10 20:31 . 2009-04-10 03:45 12304 ----a-w C:\JavaRa.log
2009-04-10 03:51 . 2008-12-25 00:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-10 02:18 . 2009-04-10 02:18 -------- d-----w c:\program files\Lavasoft
2009-04-10 01:43 . 2008-11-06 22:39 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-10 01:43 . 2008-11-06 22:39 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-10 01:42 . 2008-09-21 20:06 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 23:19 . 2009-04-01 22:49 3142972 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-01 12:04 . 2009-04-01 22:49 1712128 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-03-30 23:16 . 2008-09-21 19:41 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-03-19 21:32 . 2008-11-06 17:53 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 23:14 . 2009-03-15 23:14 -------- d-----w c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-15 23:13 . 2009-03-15 23:13 -------- d-----w c:\program files\Bonjour
2009-03-15 23:12 . 2009-03-15 23:12 -------- d-----w c:\program files\QuickTime
2009-03-07 20:30 . 2008-06-04 02:15 -------- d-----w c:\documents and settings\User\Application Data\dvdcss
2009-03-07 19:42 . 2009-03-07 19:24 -------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-03-07 15:42 . 2008-06-17 04:25 -------- d-----w c:\program files\GoldWave
2009-03-06 14:22 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 04:59 . 2009-03-15 23:10 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 04:59 . 2008-11-06 17:51 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-16 05:10 . 2008-12-07 03:55 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-14 17:37 . 2009-02-14 17:39 1608192 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-02-09 12:10 . 2006-02-28 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-02-28 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-02-28 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-24 02:04 . 2008-05-23 02:15 19416 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-05-23 04:50 . 2008-05-23 04:50 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
2007-02-02 00:02 . 2007-02-02 00:02 313344 ----a-w c:\program files\hjsplit.exe
2000-12-15 20:55 . 2008-06-04 01:56 790528 ----a-w c:\program files\PHOTOED.EXE
2008-09-23 00:36 . 2008-09-23 00:36 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-10 1932568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-04-07 16859136]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-10 01:43 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"67:UDP"= 67:UDP:DHCP Discovery Service
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2001-08-17 96256]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-10 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-10 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-10 298264]
S2 RGFILERW;RGFILERW;c:\windows\system32\Drivers\RGFILERW.SYS [2005-10-15 3984]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
2009-04-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
2009-04-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2009-04-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-11 20:31]
2008-09-21 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-04-11 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4odu8pmx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4odu8pmx.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 14:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-18 14:33
ComboFix-quarantined-files.txt 2009-04-18 19:33
Pre-Run: 484,756,488,192 bytes free
Post-Run: 484,743,966,720 bytes free
311 --- E O F --- 2009-04-16 04:12
HJT Log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:13 PM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5425 bytes
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Annealator
2009-04-19, 17:26
Done as instructed. See below.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 19, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 19, 2009 15:14:47
Records in database: 2060684
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 35672
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:33:56
No malware has been detected. The scan area is clean.
The selected area was scanned.
HJT log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:58 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgui.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 6027 bytes
That looks good :)
Still problems?
Annealator
2009-04-19, 18:54
No problems. All weird behaviour has ceased. Thanks very much for your help!:laugh:
Great :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)
Happy surfing and stay clean! :bigthumb:
Annealator
2009-04-19, 20:15
Thanks a bunch, Shaba! I already had the IE settings as you suggested. Also had Spywareblaster. I've now gotten rid of Spybot and replaced it with Malwarebytes. Scan from that comes up clean. I will also use the MVPS hosts file and WinPatrol from now on.
:D::D:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.