PDA

View Full Version : Browser Seems Hijacked



Gpooj
2009-05-01, 06:05
I apologize for any past offenses I may have committed, but....

I'm running AVG antivirus, PCTools Spyware Doctor, and ZoneAlarm.... but for whatever reason, every now and then when I click a search result in google (could be a wikipedia page or whatever) I get taken to a random site.

It bugs me because I use the AVG content adviser, and it'll say the page checks out (because it's wikipedia), so I click on it, and bam, a strange site pops up and AVG will suddenly warn me that I'm on a known trouble site.

Sometimes it's some strange "porn search" site, sometimes it's just IGN. Anyway, if I hit back and click the link again the destination will change on me till I end up on a google page saying "google/undefined doesn't exist" or something like that.

If I hit back and try again the redirecting stops till I restart. So far it's happened to me trying to click on wiwiHow results in google, or wikipedia results in google, if that helps.

What is happening? PCTools can't find anything, Spybot can't find anything.

Here's my hijackthis log as per the sticky:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:53 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194665334359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A1F1D1B-02D1-4363-BD97-7357DD9D6F2A}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\filoloye.dll oicfcd.dll c:\windows\system32\daluwimo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8390 bytes

Shaba
2009-05-02, 12:14
Hi Gpooj

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Gpooj
2009-05-03, 01:21
Thanks for helping me!

Ok, I did that stuff and I've attached both my log files.

Shaba
2009-05-03, 09:04
Please don't attach any logs but copy/paste them to your reply :)

Gpooj
2009-05-03, 16:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:19:42 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194665334359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A1F1D1B-02D1-4363-BD97-7357DD9D6F2A}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7720 bytes

Gpooj
2009-05-03, 16:18
ComboFix 09-05-02.4 - PeterD 05/02/2009 18:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1281 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\PeterD\Application Data\inst.exe
c:\windows\Install.txt
c:\windows\system32\xcchit32.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_PROTECT
-------\Legacy_RESTORE
-------\Legacy_SOFTYINFORWOW1
-------\Legacy_SOPIDKC
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 07:07 . 2009-05-02 07:07 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-02 07:06 . 2009-05-02 07:06 -------- d-sh--w c:\documents and settings\PeterD\IETldCache
2009-05-02 04:38 . 2009-05-02 04:38 -------- d-----w c:\windows\ie8updates
2009-05-02 04:37 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-02 04:35 . 2009-05-02 04:37 -------- dc-h--w c:\windows\ie8
2009-05-02 03:02 . 2009-05-02 03:02 -------- d-----w c:\documents and settings\PeterD\Tracing
2009-05-02 03:00 . 2009-05-02 07:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-02 02:59 . 2009-05-02 02:59 -------- d-----w c:\program files\Microsoft
2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-01 21:02 . 2009-05-02 02:29 -------- d-----w c:\documents and settings\PeterD\DoctorWeb
2009-04-25 16:56 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-25 16:56 . 2009-04-03 15:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-25 16:56 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-25 16:56 . 2009-05-01 22:54 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 16:56 . 2009-04-25 16:58 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-25 16:56 . 2008-12-10 15:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-25 16:56 . 2009-04-25 17:20 -------- d-----w c:\program files\Spyware Doctor
2009-04-25 16:56 . 2009-04-25 16:56 -------- d-----w c:\documents and settings\PeterD\Application Data\PC Tools
2009-04-25 16:56 . 2009-04-25 16:56 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-24 03:43 . 2009-04-24 03:43 -------- d-----w c:\documents and settings\PeterD\Application Data\GPass
2009-04-23 23:44 . 2006-08-11 18:55 10240 ----a-w c:\windows\CTDCRES.DLL
2009-04-16 21:11 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-10 13:57 . 2009-04-10 13:57 -------- d-----w c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 22:06 . 2007-11-07 23:39 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 03:02 . 2007-12-08 01:27 31536 ----a-w c:\documents and settings\PeterD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 02:58 . 2007-11-10 00:24 -------- d-----w c:\program files\Windows Live
2009-05-01 04:40 . 2009-03-09 01:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 21:10 . 2009-03-02 02:41 434 ----a-w c:\windows\Tasks\At1.job
2009-04-24 01:47 . 2007-11-08 02:53 -------- d-----w c:\program files\Creative
2009-04-23 23:45 . 2007-11-08 03:04 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-23 23:45 . 2007-11-08 03:04 86016 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-23 23:34 . 2007-11-08 02:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 03:12 . 2007-11-12 22:38 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-16 21:12 . 2007-11-08 03:35 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-10 18:56 . 2008-05-22 02:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 13:56 . 2007-11-12 22:14 -------- d-----w c:\program files\Java
2009-04-06 19:32 . 2009-03-09 01:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-03-09 01:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-29 17:48 . 2008-05-01 02:35 -------- d-----w c:\program files\Elaborate Bytes
2009-03-29 16:07 . 2009-03-29 16:07 -------- d-----w c:\program files\SlySoft
2009-03-28 04:23 . 2009-03-11 21:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-23 02:28 . 2009-03-23 02:28 -------- d-----w c:\program files\OverDrive Media Console
2009-03-18 23:54 . 2009-03-18 23:54 -------- d-----w c:\program files\Astonsoft
2009-03-18 17:08 . 2009-03-18 17:08 103744 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-03-18 01:07 . 2009-02-24 21:44 -------- d-----w c:\program files\Cheat Engine
2009-03-17 22:03 . 2009-03-17 22:04 720896 ----a-w c:\windows\iun6002.exe
2009-03-17 20:46 . 2009-03-17 20:46 416189 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-17 02:03 . 2007-11-15 04:37 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-16 22:50 . 2007-11-08 03:16 38912 ----a-w C:\wizmo.exe
2009-03-14 19:21 . 2009-03-14 19:21 -------- d-----w c:\program files\Trend Micro
2009-03-14 18:46 . 2009-03-14 18:46 -------- d-----w c:\program files\CCleaner
2009-03-13 02:37 . 2009-03-13 02:37 -------- d-----w c:\program files\Zone Labs
2009-03-11 21:08 . 2009-03-11 21:08 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-11 21:08 . 2009-03-11 21:08 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-09 09:19 . 2009-03-17 20:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 08:34 . 2008-04-14 10:42 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-04-14 10:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-04-14 10:41 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 10:42 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-04-14 10:41 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-04-14 10:41 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-04-14 10:41 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-04-14 02:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-04-14 10:42 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 23:20 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-06 23:18 . 2007-11-07 23:32 22748 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:22 . 2008-04-14 10:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:13 . 2007-11-22 23:15 1966080 ----a-w c:\windows\system32\xRaidSetup.exe
2009-03-05 19:13 . 2008-06-21 19:05 243712 ----a-w c:\windows\system32\x.264.exe
2009-03-05 19:13 . 2006-09-28 23:56 146432 ----a-w c:\windows\system32\WudfHost.exe
2009-03-05 19:13 . 2002-08-21 10:13 189952 ----a-w c:\windows\system32\WISPTIS.EXE
2009-03-05 19:13 . 1998-06-12 05:00 30720 ----a-w c:\windows\system32\WINDBVER.EXE
2009-03-05 19:13 . 2007-11-08 03:28 561152 ----a-w c:\windows\system32\UNINSTAL.EXE
2009-03-05 19:13 . 2007-03-22 01:54 69632 ----a-w c:\windows\system32\TWUNK_32.EXE
2009-03-05 19:13 . 2007-11-07 23:31 44544 ----a-w c:\windows\system32\tscupgrd.exe
2009-03-05 19:12 . 2008-07-08 21:47 7680 ----a-w c:\windows\system32\spdwnwxp.exe
2009-03-05 19:12 . 2008-07-08 21:47 32768 ----a-w c:\windows\system32\slrundll.exe
2009-03-05 19:12 . 2007-11-08 04:14 36352 ----a-w c:\windows\system32\OggDSuninst.exe
2009-03-05 19:09 . 2005-01-07 22:07 61952 ----a-w c:\windows\system32\HdAShCut.exe
2009-03-05 19:09 . 2008-07-08 21:46 20992 ----a-w c:\windows\system32\faxpatch.exe
2009-03-05 19:09 . 2006-02-28 17:41 61440 ----a-w c:\windows\system32\dns-sd.exe
2009-03-05 19:08 . 2008-07-08 21:46 9728 ----a-w c:\windows\system32\comsdupd.exe
2009-03-05 19:08 . 2007-11-22 23:06 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-03-05 18:48 . 2008-06-21 19:04 506368 ----a-w c:\windows\x2.64.exe
2009-03-05 18:48 . 2008-03-09 16:03 86016 ----a-w c:\windows\unvise32qt.exe
2009-03-05 18:48 . 2007-11-07 23:48 86016 ----a-w c:\windows\SoundMan.exe
2009-03-05 18:48 . 2007-11-07 23:48 1826816 ----a-w c:\windows\SkyTel.exe
2009-03-05 18:47 . 2007-11-07 23:48 1191936 ----a-w c:\windows\RtlUpd.exe
2009-03-05 18:47 . 2007-11-07 23:48 9716736 ----a-w c:\windows\RTLCPL.EXE
2009-03-05 18:47 . 2007-11-07 23:48 16386048 ----a-w c:\windows\RTHDCPL.EXE
2009-03-05 18:47 . 2008-06-21 19:05 70144 ----a-w c:\windows\MOTA113.exe
2009-03-05 18:47 . 2007-11-07 23:48 2166784 ----a-w c:\windows\MicCal.exe
2009-03-05 18:47 . 2007-12-23 02:14 306688 ----a-w c:\windows\IsUninst.exe
2009-03-05 18:47 . 2008-02-15 03:33 65536 ----a-w c:\windows\IFinst27.exe
2009-03-05 18:47 . 2007-11-22 23:06 315392 ----a-w c:\windows\HideWin.exe
2009-03-05 18:47 . 2008-03-18 23:40 796672 ----a-w c:\windows\GPInstall.exe
2009-03-05 18:47 . 2007-11-08 02:54 41984 ----a-w c:\windows\Ctregrun.exe
2009-03-05 18:47 . 2007-11-07 23:48 2810880 ----a-w c:\windows\ALCWZRD.EXE
2009-03-05 18:47 . 2007-11-07 23:48 69632 ----a-w c:\windows\ALCMTR.EXE
2009-03-05 16:45 . 2007-11-08 03:50 255488 ----a-w C:\Notepad2.exe
2009-03-05 16:45 . 2007-11-08 03:16 5689344 ----a-w C:\mplayerc.exe
2009-03-05 04:40 . 2009-03-03 01:41 130 ----a-w c:\windows\adobe.bat
2009-03-05 04:09 . 2009-03-05 04:09 -------- d-----w c:\program files\Alwil Software
2009-03-03 01:43 . 2009-03-03 00:23 136128 ----a-w c:\windows\system32\drivers\ethppbfh.sys
2009-03-03 01:41 . 2009-03-03 01:41 0 ----a-w c:\windows\_id.dat
2009-03-03 01:33 . 2009-03-03 01:33 0 ----a-w c:\windows\nsreg.dat
2009-02-17 17:11 . 2009-02-17 17:11 24232 ------w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ------w c:\windows\system32\ElbyCDIO.dll
2009-02-16 04:10 . 2009-03-31 00:33 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2008-04-14 10:41 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 10:42 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-04-14 10:41 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 10:41 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2008-04-14 06:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2008-04-14 10:42 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-14 05:54 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-14 00:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-14 10:42 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-03 09:06 . 2008-06-21 19:04 163328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-06-21 19:04 31232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-06-21 19:04 27648 --sh--w c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2009-03-05 94208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-03-05 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-03-05 258048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-11 1932568]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-05 16386048]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-22 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-11 21:08 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 bunjgftm;bunjgftm; [x]
R2 OMSCAN;OMSCAN; [x]
R2 xlvestau;USB Audio (WDM)Support;c:\windows\System32\svchost.exe [2008-04-14 14336]
R3 pcistub;pcistub; [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S0 xmasbus;xmasbus;c:\windows\system32\DRIVERS\xmasbus.sys [2003-12-21 140800]
S0 xmasscsi;xmasscsi;c:\windows\System32\Drivers\xmasscsi.sys [2003-12-21 5504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-11 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-28 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-11 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-11 298264]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-09-07 1373480]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xlvestau

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {8A1F1D1B-02D1-4363-BD97-7357DD9D6F2A} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\PeterD\Application Data\Mozilla\Firefox\Profiles\cmtd4zas.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 18:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1336601894-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ab,e6,d2,74,20,03,85,9b,b3,cd,9b,45,41,45,9a,18,a9,28,2c,02,da,
36,db,ae,2d,3f,f2,24,11,5a,7e,a6,a9,01,d5,38,24,79,eb,88,42,ef,94,19,34,34,\
"rkeysecu"=hex:39,54,61,12,a8,59,9a,c9,92,a5,d4,02,78,87,b0,25
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
.
**************************************************************************
.
Completion time: 2009-05-02 18:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 22:12

Pre-Run: 40,133,722,112 bytes free
Post-Run: 40,677,380,096 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

310 --- E O F --- 2009-04-18 18:58

Shaba
2009-05-03, 16:28
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


File::
c:\windows\Tasks\At1.job

Driver::
bunjgftm
OMSCAN
xlvestau

NetSvcs::
xlvestau

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a fresh HijackThis log.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Gpooj
2009-05-03, 20:59
Okie Dokie, I did the drag and drop thing. It looks like it did the exact same thing as last time. Hopefully nothing messed up.

ComboFix Log:

ComboFix 09-05-02.4 - PeterD 05/03/2009 13:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1469 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
Command switches used :: c:\documents and settings\PeterD\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

FILE ::
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BUNJGFTM
-------\Legacy_OMSCAN
-------\Legacy_XLVESTAU
-------\Service_bunjgftm
-------\Service_OMSCAN
-------\Service_xlvestau


((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-02 07:07 . 2009-05-02 07:07 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-02 07:06 . 2009-05-02 07:06 -------- d-sh--w c:\documents and settings\PeterD\IETldCache
2009-05-02 04:38 . 2009-05-02 04:38 -------- d-----w c:\windows\ie8updates
2009-05-02 04:37 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-02 04:35 . 2009-05-02 04:37 -------- dc-h--w c:\windows\ie8
2009-05-02 03:02 . 2009-05-02 03:02 -------- d-----w c:\documents and settings\PeterD\Tracing
2009-05-02 03:00 . 2009-05-02 07:06 -------- d-----w c:\program files\Microsoft Silverlight
2009-05-02 02:59 . 2009-05-02 02:59 -------- d-----w c:\program files\Microsoft
2009-05-02 02:51 . 2009-05-02 02:51 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-01 21:02 . 2009-05-02 02:29 -------- d-----w c:\documents and settings\PeterD\DoctorWeb
2009-04-25 16:56 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-25 16:56 . 2009-04-03 15:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-25 16:56 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-25 16:56 . 2009-05-01 22:54 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 16:56 . 2009-04-25 16:58 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-25 16:56 . 2008-12-10 15:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-25 16:56 . 2009-04-25 17:20 -------- d-----w c:\program files\Spyware Doctor
2009-04-25 16:56 . 2009-04-25 16:56 -------- d-----w c:\documents and settings\PeterD\Application Data\PC Tools
2009-04-25 16:56 . 2009-04-25 16:56 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-24 03:43 . 2009-04-24 03:43 -------- d-----w c:\documents and settings\PeterD\Application Data\GPass
2009-04-23 23:44 . 2006-08-11 18:55 10240 ----a-w c:\windows\CTDCRES.DLL
2009-04-16 21:11 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-10 13:57 . 2009-04-10 13:57 -------- d-----w c:\program files\Windows Live SkyDrive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 17:48 . 2007-11-07 23:39 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 03:02 . 2007-12-08 01:27 31536 ----a-w c:\documents and settings\PeterD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 02:58 . 2007-11-10 00:24 -------- d-----w c:\program files\Windows Live
2009-05-01 04:40 . 2009-03-09 01:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 01:47 . 2007-11-08 02:53 -------- d-----w c:\program files\Creative
2009-04-23 23:45 . 2007-11-08 03:04 409600 ----a-w c:\windows\system32\wrap_oal.dll
2009-04-23 23:45 . 2007-11-08 03:04 86016 ----a-w c:\windows\system32\OpenAL32.dll
2009-04-23 23:34 . 2007-11-08 02:54 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 03:12 . 2007-11-12 22:38 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-16 21:12 . 2007-11-08 03:35 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-10 18:56 . 2008-05-22 02:45 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 13:56 . 2007-11-12 22:14 -------- d-----w c:\program files\Java
2009-04-06 19:32 . 2009-03-09 01:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-03-09 01:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-29 17:48 . 2008-05-01 02:35 -------- d-----w c:\program files\Elaborate Bytes
2009-03-29 16:07 . 2009-03-29 16:07 -------- d-----w c:\program files\SlySoft
2009-03-28 04:23 . 2009-03-11 21:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-03-23 02:28 . 2009-03-23 02:28 -------- d-----w c:\program files\OverDrive Media Console
2009-03-18 23:54 . 2009-03-18 23:54 -------- d-----w c:\program files\Astonsoft
2009-03-18 17:08 . 2009-03-18 17:08 103744 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-03-18 01:07 . 2009-02-24 21:44 -------- d-----w c:\program files\Cheat Engine
2009-03-17 22:03 . 2009-03-17 22:04 720896 ----a-w c:\windows\iun6002.exe
2009-03-17 20:46 . 2009-03-17 20:46 416189 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-03-17 02:03 . 2007-11-15 04:37 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-16 22:50 . 2007-11-08 03:16 38912 ----a-w C:\wizmo.exe
2009-03-14 19:21 . 2009-03-14 19:21 -------- d-----w c:\program files\Trend Micro
2009-03-14 18:46 . 2009-03-14 18:46 -------- d-----w c:\program files\CCleaner
2009-03-13 02:37 . 2009-03-13 02:37 -------- d-----w c:\program files\Zone Labs
2009-03-11 21:08 . 2009-03-11 21:08 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-03-11 21:08 . 2009-03-11 21:08 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-09 09:19 . 2009-03-17 20:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 08:34 . 2008-04-14 10:42 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2008-04-14 10:41 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2008-04-14 10:41 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2008-04-14 10:42 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2008-04-14 10:41 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2008-04-14 10:41 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2008-04-14 10:41 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2008-04-14 02:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2008-04-14 10:42 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 23:20 . 2004-08-04 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-03-06 23:18 . 2007-11-07 23:32 22748 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-06 14:22 . 2008-04-14 10:42 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:13 . 2007-11-22 23:15 1966080 ----a-w c:\windows\system32\xRaidSetup.exe
2009-03-05 19:13 . 2008-06-21 19:05 243712 ----a-w c:\windows\system32\x.264.exe
2009-03-05 19:13 . 2006-09-28 23:56 146432 ----a-w c:\windows\system32\WudfHost.exe
2009-03-05 19:13 . 2002-08-21 10:13 189952 ----a-w c:\windows\system32\WISPTIS.EXE
2009-03-05 19:13 . 1998-06-12 05:00 30720 ----a-w c:\windows\system32\WINDBVER.EXE
2009-03-05 19:13 . 2007-11-08 03:28 561152 ----a-w c:\windows\system32\UNINSTAL.EXE
2009-03-05 19:13 . 2007-03-22 01:54 69632 ----a-w c:\windows\system32\TWUNK_32.EXE
2009-03-05 19:13 . 2007-11-07 23:31 44544 ----a-w c:\windows\system32\tscupgrd.exe
2009-03-05 19:12 . 2008-07-08 21:47 7680 ----a-w c:\windows\system32\spdwnwxp.exe
2009-03-05 19:12 . 2008-07-08 21:47 32768 ----a-w c:\windows\system32\slrundll.exe
2009-03-05 19:12 . 2007-11-08 04:14 36352 ----a-w c:\windows\system32\OggDSuninst.exe
2009-03-05 19:09 . 2005-01-07 22:07 61952 ----a-w c:\windows\system32\HdAShCut.exe
2009-03-05 19:09 . 2008-07-08 21:46 20992 ----a-w c:\windows\system32\faxpatch.exe
2009-03-05 19:09 . 2006-02-28 17:41 61440 ----a-w c:\windows\system32\dns-sd.exe
2009-03-05 19:08 . 2008-07-08 21:46 9728 ----a-w c:\windows\system32\comsdupd.exe
2009-03-05 19:08 . 2007-11-22 23:06 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-03-05 18:48 . 2008-06-21 19:04 506368 ----a-w c:\windows\x2.64.exe
2009-03-05 18:48 . 2008-03-09 16:03 86016 ----a-w c:\windows\unvise32qt.exe
2009-03-05 18:48 . 2007-11-07 23:48 86016 ----a-w c:\windows\SoundMan.exe
2009-03-05 18:48 . 2007-11-07 23:48 1826816 ----a-w c:\windows\SkyTel.exe
2009-03-05 18:47 . 2007-11-07 23:48 1191936 ----a-w c:\windows\RtlUpd.exe
2009-03-05 18:47 . 2007-11-07 23:48 9716736 ----a-w c:\windows\RTLCPL.EXE
2009-03-05 18:47 . 2007-11-07 23:48 16386048 ----a-w c:\windows\RTHDCPL.EXE
2009-03-05 18:47 . 2008-06-21 19:05 70144 ----a-w c:\windows\MOTA113.exe
2009-03-05 18:47 . 2007-11-07 23:48 2166784 ----a-w c:\windows\MicCal.exe
2009-03-05 18:47 . 2007-12-23 02:14 306688 ----a-w c:\windows\IsUninst.exe
2009-03-05 18:47 . 2008-02-15 03:33 65536 ----a-w c:\windows\IFinst27.exe
2009-03-05 18:47 . 2007-11-22 23:06 315392 ----a-w c:\windows\HideWin.exe
2009-03-05 18:47 . 2008-03-18 23:40 796672 ----a-w c:\windows\GPInstall.exe
2009-03-05 18:47 . 2007-11-08 02:54 41984 ----a-w c:\windows\Ctregrun.exe
2009-03-05 18:47 . 2007-11-07 23:48 2810880 ----a-w c:\windows\ALCWZRD.EXE
2009-03-05 18:47 . 2007-11-07 23:48 69632 ----a-w c:\windows\ALCMTR.EXE
2009-03-05 16:45 . 2007-11-08 03:50 255488 ----a-w C:\Notepad2.exe
2009-03-05 16:45 . 2007-11-08 03:16 5689344 ----a-w C:\mplayerc.exe
2009-03-05 04:40 . 2009-03-03 01:41 130 ----a-w c:\windows\adobe.bat
2009-03-05 04:09 . 2009-03-05 04:09 -------- d-----w c:\program files\Alwil Software
2009-03-03 01:43 . 2009-03-03 00:23 136128 ----a-w c:\windows\system32\drivers\ethppbfh.sys
2009-03-03 01:41 . 2009-03-03 01:41 0 ----a-w c:\windows\_id.dat
2009-03-03 01:33 . 2009-03-03 01:33 0 ----a-w c:\windows\nsreg.dat
2009-02-17 17:11 . 2009-02-17 17:11 24232 ------w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ------w c:\windows\system32\ElbyCDIO.dll
2009-02-16 04:10 . 2009-03-31 00:33 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2008-04-14 10:41 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-04-14 10:42 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2008-04-14 10:41 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2008-04-14 10:41 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2008-04-14 06:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 22:52 . 2009-02-06 22:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2008-04-14 10:42 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2008-04-14 05:54 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2008-04-14 00:01 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2008-04-14 10:42 56832 ----a-w c:\windows\system32\secur32.dll
2006-05-03 09:06 . 2008-06-21 19:04 163328 --sh--r c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2008-06-21 19:04 31232 --sh--r c:\windows\system32\msfDX.dll
2007-12-17 12:43 . 2008-06-21 19:04 27648 --sh--w c:\windows\system32\Smab0.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_22.07.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 17:49 . 2009-05-03 17:49 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2009-03-05 94208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-03-05 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-03-05 258048]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-11 1932568]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-03-05 16386048]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-08-11 18944]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-22 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-11 21:08 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 pcistub;pcistub; [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-03 130936]
S0 xmasbus;xmasbus;c:\windows\system32\DRIVERS\xmasbus.sys [2003-12-21 140800]
S0 xmasscsi;xmasscsi;c:\windows\System32\Drivers\xmasscsi.sys [2003-12-21 5504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-03-11 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-03-28 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-11 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-11 298264]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2007-09-07 1373480]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {8A1F1D1B-02D1-4363-BD97-7357DD9D6F2A} = 192.168.1.1
FF - ProfilePath - c:\documents and settings\PeterD\Application Data\Mozilla\Firefox\Profiles\cmtd4zas.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-842925246-1336601894-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ab,e6,d2,74,20,03,85,9b,b3,cd,9b,45,41,45,9a,18,a9,28,2c,02,da,
36,db,ae,2d,3f,f2,24,11,5a,7e,a6,a9,01,d5,38,24,79,eb,88,42,ef,94,19,34,34,\
"rkeysecu"=hex:39,54,61,12,a8,59,9a,c9,92,a5,d4,02,78,87,b0,25
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(348)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-05-03 13:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 17:56
ComboFix2.txt 2009-05-02 22:13

Pre-Run: 40,685,514,752 bytes free
Post-Run: 40,677,146,624 bytes free

283 --- E O F --- 2009-04-18 18:58

Gpooj
2009-05-03, 21:00
HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:58 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194665334359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A1F1D1B-02D1-4363-BD97-7357DD9D6F2A}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7753 bytes

Shaba
2009-05-03, 21:03
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Gpooj
2009-05-04, 06:57
Is it possible for me to put this on hold for 1 week?

I have been shipped out of town for the week and I do not have access to my PC till the 10th.

So, could this thread remain open till that time? Should I post every few days to make sure it doesn't close?

Shaba
2009-05-04, 07:10
Sure, I will keep this open :)

Gpooj
2009-05-09, 18:06
Thanks for waiting, here's the full list:

Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Alcohol 120%
AnyDVD
AVG 8.5
Bluesoleil 5.0.5.178
BSPlayer
CCleaner (remove only)
CDBurnerXP Pro 3
CD-DA X-Tractor v0.24
CDisplay 1.8
Cheat Engine 5.4
Choice Guard
CloneDVD2
Compatibility Pack for the 2007 Office system
Creative Audio Console
Critical Update for Windows Media Player 11 (KB959772)
DeepBurner v1.9.0.228
Direct Show Ogg Vorbis Filter (remove only)
eMule
Fallout 3
ffdshow [rev 1054] [2007-03-19]
FileZilla Server (remove only)
FLV Player 2.0, build 23
FOX ONE
FTP Commander
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD 8
InterVideo WinDVD Creator 3
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
JMB36X Raid Configurer
LDraw
LDraw Parts Library 2008-01
LiveUpdate
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Matroska Pack - Lazy Man's MKV 0.9.9
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
MozBackup 1.4.6
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.16)
Mp3 Tag Tools v1.2
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NoteWorthy Composer
NVIDIA Drivers
Opera 9.51
OverDrive Media Console
PDF Settings
PDFCreator
Pen Tablet
QuickTime Alternative 1.81
Realtek High Definition Audio Driver
SDP Downloader
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sins of a Solar Empire
Sins of a Solar Empire
SPORE™
Spybot - Search & Destroy
Spyware Doctor 6.0
SUPER © Version 2008.bld.30 (Mar 22, 2008)
System Requirements Lab
Ulead GIF Animator Lite Edition 1.0
UltraVNC v1.0.2
UnInstall_SealOnlineUSA
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC 9.0 Runtime
VeohTV BETA
VideoLAN VLC media player 0.8.6a
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
ZoneAlarm

Shaba
2009-05-09, 19:01
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent DNA
eMule

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.

Gpooj
2009-05-10, 00:27
Not sure if it makes any difference, but I installed emule myself about.... a year or two ago. I don't think I've used it since then really, but I've uninstalled it none the less.

As for Bittorrent DNA, that's that weird thing that pure versions of Bitorrent installs. I had it disabled, and I can't see it in my uninstall list. Anyway, I uninstalled Bittorrent instead because I couldn't find that one.

So, here's my new list:

Add or Remove Adobe Creative Suite 3 Master Collection
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe After Effects CS3 Template Projects & Footage
Adobe After Effects CS3 Third Party Content
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop 7.0
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
Alcohol 120%
AnyDVD
AVG 8.5
Bluesoleil 5.0.5.178
BSPlayer
CCleaner (remove only)
CDBurnerXP Pro 3
CD-DA X-Tractor v0.24
CDisplay 1.8
Cheat Engine 5.4
Choice Guard
CloneDVD2
Compatibility Pack for the 2007 Office system
Creative Audio Console
Critical Update for Windows Media Player 11 (KB959772)
DeepBurner v1.9.0.228
Direct Show Ogg Vorbis Filter (remove only)
Fallout 3
ffdshow [rev 1054] [2007-03-19]
FileZilla Server (remove only)
FLV Player 2.0, build 23
FOX ONE
FTP Commander
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
InterVideo WinDVD 8
InterVideo WinDVD Creator 3
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
JMB36X Raid Configurer
LDraw
LDraw Parts Library 2008-01
LiveUpdate
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Matroska Pack - Lazy Man's MKV 0.9.9
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
MozBackup 1.4.6
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.16)
Mp3 Tag Tools v1.2
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NoteWorthy Composer
NVIDIA Drivers
Opera 9.51
OverDrive Media Console
PDF Settings
PDFCreator
Pen Tablet
QuickTime Alternative 1.81
Realtek High Definition Audio Driver
SDP Downloader
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sins of a Solar Empire
Sins of a Solar Empire
SPORE™
Spybot - Search & Destroy
Spyware Doctor 6.0
SUPER © Version 2008.bld.30 (Mar 22, 2008)
System Requirements Lab
Ulead GIF Animator Lite Edition 1.0
UltraVNC v1.0.2
UnInstall_SealOnlineUSA
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC 9.0 Runtime
VeohTV BETA
VideoLAN VLC media player 0.8.6a
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Winamp
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
WinRAR archiver
ZoneAlarm

Gpooj
2009-05-10, 04:13
I know I'm not supposed to double reply in a row, but I had one of those weird redirects just now and I've tried to more carefully document exactly what is going on.

I did a google search.
I clicked on the first link (a wikipedia page), AVG content adviser has a little green check next to it.

Instead of taking me to wikipedia it took me to IGN. So, I quickly checked my browser history, and here's what the most recent pages it said I visited were:

The first is the one that loaded directly after the google search page, so I guess it's what happened when I clicked the wikipedia link.

http://c.incomeppc.com/?d=rAbIxphhdwNNEG_bWAVUcJKtNSD8iyOEdwP5bF1IHUlvvBaUK052IanlcdfjRSWdTjjNZ4iluOpQ8QJtO4NQ_j4nOVNYPUNEOOuDx1MOX6ityGo9iuRPjHkuEjyWcDfqQFEDFRQFXnMm_L8FEIjzKM2eaNxcyPgmvXaZTYAqJjvQUNAAUy6QEgJiD-y5KwwDh307vvMeHtEICVfvs7Wsw3-tzA0FKbmJm_wgxh99haRs-KZExZs9M_LrrH6DsqefBIX_g-K-sD32m3wO-To2Yn1c2xn8aieyxXi5gi4XGM68hhSAfujhe3SmnT_AV1-1drBgd3ed-MAubg-rKFKtZkPeuKBb-FFk6ZCXLE0RwYsRov7AWtyY2maBhoDTJf2NSumT4hN-JaLK6UhXAzzW_TUVx-g4aCkxjVIwMF9sh93dvorrSpoLJLKdtCZ1x2gU_NLYFm2loNaGG-Oi5q2CGc_mModddvbn3qTHvdWLJKRmpNv3lnzVY6C6yFf31ba_0Jqqr10GMCpV7FTZBbtkwCHL6oz4Ej0jOuzSSM6sme_otcDPtK5a_2njxLtsMEIrfk08cbu_59K5yInfomPGuORXRpWqCZyj1hKfIWoEYOqH_js7QoyM-=-=-AmLhBF4kAv4kAGpiLl5jnUN/p3jlBGpjsQA8BQNjsTMupaWuozq8ZGNmZGLmsQI8ZUj0LGN2ZwqwL3j1BQH1AJDjA3jjsTAuATLkBJZ5sQR4ZmyyBTIvsUAyLKWwnTygLJqypl5cozMi-=-=-6d3e259706f9

then

http://76.9.16.157/c.php?s=eNoVkcuuqjAART_oJNIHpWXgAFQ8vlBRqjC5oS1VUHyiiOnHX052VnaypqswEFJqGwwAM4vyhBcD8DWgB4AD_w4aBIALCHARBBhQk1ZBK6vglTb9vhECwUxhRwlJpQsdDSRQSEDSKaZz_Y8SRVwmXZ2rnAkplCtziKnMGLNdWwiDHANNHl6DRtWvQ-l5XjjQu307iiZrUgRVPIsif7Jfj3-gmN0SXozWz_jtku99unEf-XMRkMf9Z_YeeU6QfdrsOVK_t-X-fQ32z3jB-Gb2La1p2ka8nvrlkKv5tv4KTZ68uuFNshwur3FzaG_NI1-1qeOtq3rq-ZNhot-eXSXgMxCrhXOo-SSx6MPKYR0EjLfEbi7NJglL2znOubQGWs2AFhzG4uA-WnYX6HuKNmmJ_GHIk-t4nPxkwIVjZS9fu93qibeeFcbYWYXqgPM1k2tH_AYLSz2ybAnTT-Bv5d2PTp_zZbqqqioa3dGUiqJYWXEzcAi3yamIL6P6lSs31on_0Wdde10TZPcI7SGMOogxjPUY6bm4Rw0wBhmFFZ6fzr_bgpQCgX5n_2awkYgfZRVesx08poh_59X5lVasbzCThBEKEcJdPMlw1uXsVJbRLBdU_wf7DblZ

then

http://iad.xmlsearch.miva.com/bin/findwhat.dll?clickthrough&y=52594&x=NSJBxFLTXTxJC6EyD3ZLT5t3ZcIIP:nlPQw3uQLXX6pdxfZGlHszOe:ZPYxCIqTbvoIr4HxNMgwJUQmkHM8CZe8B266bjVKQoQLSpcaixeaoZrEX;kYuxFTsVQ6AzTSBjqt7ugIAjbpI;3tSESawmVgh;6jKofT4xSIXc3yeAcjvyttZ2c:;CopFpTXJOfjG5oMxPgtlGG$hi

Then it loads an IGN advertisement.
So, whatever is happening, I clicked a link that was supposed to be:
http://en.wikipedia.org/wiki/Farang
But instead of taking me there, it took me to:
incomeppc.com
c.php
findwhat.dll
and finally ending up at an IGN advertisement (http://www.ign.com/?_cmpid=ign33).

I hope this more detailed problem description helps you out.

Gpooj
2009-05-10, 09:17
Ah, you're probably thinking I got infected as a result of some P2P program.

Well, I haven't really used any P2P stuff recently. I guess I used bittorrent about 2 months ago. I didn't think bittorrent counted as a bad P2P program, it's the standard Linux distribution method, either way, I uninstalled it as per your request.

The most recent thing I installed was probably ZoneAlarm, or maybe Windows Live Messenger. It's not like I didn't have ZoneAlarm before that, it's just that my old version broke somehow.

I'm thinking it happened one day when I was looking for screenshots using google images. The AVG content adviser doesn't work on the image search, so I guess I clicked a bad link because AVG popped right up and said that I was on a known bad site and that it had quarantined something (what, I don't know, because I was on a webpage, how could it quarantine the webpage?).

Shaba
2009-05-10, 11:50
I haven't claimed that you have used P2P software.

Having those installed is against forum rules and that's why I required you to uninstall them.

However, let's check this next:

Please download GooredFix (http://jpshortstuff.247fixes.com/GooredFix.exe) and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Gpooj
2009-05-11, 04:11
Sorry, I didn't mean to sound rude. I totally understand why I needed to uninstall them. If they're screwing my computer up I don't want them on there anyway. :)

Anyway, here's the text file that popped up:

GooredFix v1.92 by jpshortstuff
Log created at 21:09 on 10/05/2009 running Option #1 (PeterD)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{320CEDCF-5BDB-4E6C-A429-815DC9FAB44A}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

Shaba
2009-05-11, 07:08
Please double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Gpooj
2009-05-11, 07:35
Ok, it didn't prompt me to restart or do any registry changing, but here's the log:

GooredFix v1.92 by jpshortstuff
Log created at 00:33 on 11/05/2009 running Option #2 (PeterD)
Firefox version 3.0.10 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{320CEDCF-5BDB-4E6C-A429-815DC9FAB44A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

Shaba
2009-05-11, 13:50
OK, goored is gone.

Still same symptoms?

Gpooj
2009-05-11, 14:14
Hard to say, it didn't do it every time I clicked a link, only maybe half the time.

I'll give it a thorough trying today and let you know.

Shaba
2009-05-11, 16:11
OK, keep me informed :)

Gpooj
2009-05-12, 03:51
It looks like it's fixed!

Looks like that google redirect problem is pretty widespread, is it covered by Spybot's immunize function?

Should I be using immunize? I've heard that it might screw up my anti-virus.
Do you recommend using it?

Shaba
2009-05-12, 07:07
Good :)

Immunization should not affect antivirus at all. No, it won't cover that kind of google redirect, unfortunately.

Are you ready for final instructions?

Gpooj
2009-05-12, 17:17
There's more? Ok, I'm ready.

It looks like the redirect is fixed.

Shaba
2009-05-12, 17:30
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You seem to have two antiviruses, spyware doctor and AVG. Please uninstall one of them.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)

Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

Gpooj
2009-05-12, 17:39
Thanks for your help!

That malware complaints page, what's the goal of it? I thought malware was already illegal as it is.

Shaba
2009-05-12, 18:39
Yes but there you can complain about specific malware :)

Gpooj
2009-05-13, 04:55
Cool, well, I've done all that stuff.

Thanks for your help!

Shaba
2009-05-15, 17:49
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

Everyone else please begin a New Topic.