PDA

View Full Version : Safer-networking.org is blank page



siskara
2009-06-05, 22:02
It wrote:
The link safer-networking.org may be misspelled.
DNS error occurred. Server cannot be found. The link may be broken. :sad:

And some others web pages are blank. :sad:

First of all, I wish to thanks to Spybot. This is best anti virus progam, it's helping me 3 years but now I don't know what is it....

I been have some old version of Spybot and when I realise that I have some threat, I wish to download new version but can not reach Spybot home page so I download new version from other link but when Spybot instaling it download virus base from Safer-networking.org page. Since this page is blocked instalation is not complete. :zombie:

I download Malwarebytes and I have CCleaner, Glary Utilities, Spyware Terminator and main is Avast, and they help me a litlle: no redirecting any more and no pop up windows but still Safer-networking.org and some others pages are blocked. :banghead:

I check all, I mean all, from internet configuration, scanning all pc several times, uninstaling Opera and IE7, uninstaling Avast - instaling Windows Live One Care, back on Avast again, uninstaling Crawler toolbar with Spyware Terminator, back it again, and lot of work and still no solution. :hair:

Please help me :thanks:

:wav:

I forgot to wrote that one option is missing on desktop right click - propertys: no desktop option (where You can chose background) and there is customise desktop option where You can choose 4 main icons - no such option.
Did I have threat or maybe CCleaner or I delete something importand file? :oops:

shelf life
2009-06-06, 14:57
Hi,

See this about posting a hjt log;

download HJT:

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in your reply.

siskara
2009-06-07, 10:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:52, on 7.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1033&EXENAME=cli.exe&BRAND=WINDOWS
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Istraivanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF16863-5FF5-4227-9826-9F34B36E60B6}: NameServer = 85.255.114.51 85.255.112.158
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6727 bytes :rockon:

siskara
2009-06-07, 10:59
DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 0:32:16,73 on sub 09.05.2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.676 [GMT 2:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60343
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60343
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 2 (0x2)
uPolicies-system: Wallpaper = ˙|(
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: NoFileUrl = 0 (0x0)
IE: Crawler Search - tbr:iemenu
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\free download manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\free download manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\free download manager\dlall.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-4-12 141312]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [2007-6-29 611584]
S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\windows live\messenger\usnsvc.exe [2007-10-18 98328]

=============== Created Last 30 ================

2009-05-09 00:17 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-05-09 00:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-09 00:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-09 00:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-09 00:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-08 23:50 <DIR> --d----- c:\program files\Crawler
2009-05-08 23:16 <DIR> --d----- C:\4afaee2f4eee69a3d7508c
2009-05-06 22:23 <DIR> --d----- c:\program files\TronMe
2009-05-06 22:20 1,173,201 a------- C:\OneCareSupportData.zip
2009-05-06 21:11 244 a---h--- C:\sqmnoopt01.sqm
2009-05-06 21:11 232 a---h--- C:\sqmdata01.sqm
2009-05-05 00:07 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-05-05 00:07 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-05-05 00:05 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-05-05 00:05 <DIR> --d----- c:\windows\system32\bits
2009-05-05 00:05 409,600 -c------ c:\windows\system32\dllcache\qmgr.dll
2009-05-05 00:05 7,168 -c------ c:\windows\system32\dllcache\bitsprx4.dll
2009-05-05 00:05 7,168 -------- c:\windows\system32\bitsprx4.dll
2009-05-04 23:53 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-05-04 19:58 244 a---h--- C:\sqmnoopt00.sqm
2009-05-04 19:58 232 a---h--- C:\sqmdata00.sqm
2009-05-02 21:52 <DIR> --d----- c:\program files\MSSOAP
2009-05-02 21:27 <DIR> --dsh--- c:\documents and settings\administrator\IECompatCache
2009-05-02 21:26 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-05-02 21:04 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-05-02 20:59 81,920 a------- c:\windows\system32\ieencode.dll
2009-05-02 20:59 81,920 a------- c:\windows\system32\dllcache\ieencode.dll

==================== Find3M ====================

2009-02-17 22:39 128,840 ac------ c:\windows\system32\Metacafe.scr

============= FINISH: 0:33:33,28 ===============

:rockon:

siskara
2009-06-07, 11:01
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20.10.2006 17:20:07
System Uptime: 5.9.2009 0:27:00 (-2856 hours ago)

Motherboard: | | P4X400-8235
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Socket 478 | 2424/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 17,541 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP327: 6.5.2009 22:26:27 - Configured Cuban Missile Crisis
RP328: 8.5.2009 23:12:07 - Installed Opera 9.64

==== Installed Programs ======================

ACDSee 10 Photo Manager
Ad-Aware SE Personal
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
CA Yahoo! Anti-Spy (remove only)
CCleaner (remove only)
Counter-Strike 1.6
Crawler Toolbar with Web Security Guard
DNA
Free Download Manager 2.5 Language pack
Glary Utilities 2.2.2.66
GTOneCare
i-Look 111
iTunes
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 3
Malwarebytes' Anti-Malware
Metacafe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Protection Service
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v2.5.2900.24
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.24
Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 8
neroxml
Oblivion
Opera 9.64
PX Engine
QuickTime
Realtek AC'97 Audio
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Skype 3.8
Spyware Terminator
TronMe beta
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB923845)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VCRedistSetup
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live OneCare
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows paket jezičnog sučelja
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Windows XP SP2 LIP update
WinRAR archiver
WinZip 11.1

==== Event Viewer Messages From Past Week ========

8.5.2009 22:17:48, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
6.5.2009 23:53:55, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RemoteRegistry service.
6.5.2009 23:06:30, error: Service Control Manager [7023] - The Akamai service terminated with the following error: The specified module could not be found.
4.5.2009 19:35:59, error: Service Control Manager [7000] - The Spyware Terminator Realtime Shield Service service failed to start due to the following error: The system cannot find the file specified.
4.5.2009 19:18:37, error: Service Control Manager [7034] - The Spyware Terminator Realtime Shield Service service terminated unexpectedly. It has done this 1 time(s).
4.5.2009 19:06:22, error: PlugPlayManager [11] - The device Root\LEGACY_SSIDRV\0000 disappeared from the system without first being prepared for removal.
4.5.2009 19:06:22, error: PlugPlayManager [11] - The device Root\LEGACY_SSHRMD\0000 disappeared from the system without first being prepared for removal.
4.5.2009 19:06:22, error: PlugPlayManager [11] - The device Root\LEGACY_SSFS0BBC\0000 disappeared from the system without first being prepared for removal.
4.5.2009 19:06:17, error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
3.5.2009 12:29:10, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
3.5.2009 12:28:48, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
3.5.2009 10:42:56, error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
2.5.2009 23:27:16, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {E8933C4B-2C90-4A04-A677-E958D9509F1A}

==== End Of File ===========================

:thanks:

shelf life
2009-06-07, 15:40
ok. We will get a download to use. Link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the MBAM log in your reply.

siskara
2009-06-08, 19:43
Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

This is blank page!!!!

siskara
2009-06-08, 19:45
The link malwarebytes.org may be misspelled.
DNS error occurred. Server cannot be found. The link may be broken.

siskara
2009-06-08, 20:43
I download from another link!
It's on croatian lanquage but there is 6 sucesfully deleted threats!
But still The link malwarebytes.org may be misspelled.
DNS error occurred. Server cannot be found. The link may be broken.

and : The link safer-networking.org may be misspelled.
DNS error occurred. Server cannot be found. The link may be broken.


Malwarebytes' Anti-Malware 1.37
Verzija baze podataka: 2182
Windows 5.1.2600 Service Pack 2

8.6.2009 19:28:47
mbam-log-2009-06-08 (19-28-47).txt

Tip provjere: Kompletna Provjera (C:\|)
Provjerenih objekata: 118660
Vrijeme trajanja: 34 minute(s), 26 second(s)

Zaraeni procesi u memoriji: 0
Zaraeni moduli u memoriji: 0
Zaraeni ključevi u registru: 4
Zaraene vrijednosti u registru: 1
Zaraeni podaci u registru: 0
Zaraeni spremnici: 0
Zaraene datoteke: 1

Zaraeni procesi u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraeni moduli u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraeni ključevi u registru:
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.

Zaraene vrijednosti u registru:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Zaraeni podaci u registru:
(Zloćudne stavke nisu otkrivene)

Zaraeni spremnici:
(Zloćudne stavke nisu otkrivene)

Zaraene datoteke:
c:\WINDOWS\system32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

:hair::hair::hair:

siskara
2009-06-08, 20:55
one option is still missing on desktop right click - propertys: no desktop option (where You can chose background) and there is customise desktop option where You can choose 4 main icons - no such sub-option (affcourse when is no main option)...:buried:

shelf life
2009-06-09, 02:28
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF16863-5FF5-4227-9826-9F34B36E60B6}: NameServer = 85.255.114.51 85.255.112.158

go to start>run and type in cmd
click ok or enter
at the blinking prompt _
copy/paste in whats below;



ipconfig /flushdns

click enter
close the window.

go to start>run and type in cmd
click ok or enter
at the blinking prompt
copy/paste whats below:


nslookup
click ok or enter

post what nslookup shows

siskara
2009-06-11, 11:33
C:\Documents and SettingsAdministrator>nslookup
*** Defeault servers are not available
Defeault server: UnKnown
Adress: 127.0.0.1

:fear:

siskara
2009-06-11, 11:38
now I dont have acsess to 80 % web pages...

shelf life
2009-06-11, 12:45
check Malwarebytes for updates and run it again.
If it cant update for some reason you can download/install the latest data base for it from here:

http://malwarebytes.gt500.org/database.jsp

after its updated;

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
----------------------------------

siskara
2009-06-11, 13:36
after doing what You tould, I did not have acsess to 99 % web pages, only I have acsess to this forum (I check only aprox 15 favorites web pages and all was blank, maybe some of others web pages be ok but I did not try any more)but after restarting all is like before.... few web pages are blocked

siskara
2009-06-11, 14:27
I can't update Malwarebytes...

Is version 1.37.0.0. older from version 1.202.0.0?

I instaled ˝your˝ version 1.202.0.0

nothing found....

Malwarebytes' Anti-Malware 1.37
Verzija baze podataka: 2202
Windows 5.1.2600 Service Pack 2

11.6.2009 13:23:00
mbam-log-2009-06-11 (13-23-00).txt

Tip provjere: Kompletna Provjera (C:\|)
Provjerenih objekata: 120348
Vrijeme trajanja: 37 minute(s), 37 second(s)

Zaraeni procesi u memoriji: 0
Zaraeni moduli u memoriji: 0
Zaraeni ključevi u registru: 0
Zaraene vrijednosti u registru: 0
Zaraeni podaci u registru: 0
Zaraeni spremnici: 0
Zaraene datoteke: 0

Zaraeni procesi u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraeni moduli u memoriji:
(Zloćudne stavke nisu otkrivene)

Zaraeni ključevi u registru:
(Zloćudne stavke nisu otkrivene)

Zaraene vrijednosti u registru:
(Zloćudne stavke nisu otkrivene)

Zaraeni podaci u registru:
(Zloćudne stavke nisu otkrivene)

Zaraeni spremnici:
(Zloćudne stavke nisu otkrivene)

Zaraene datoteke:
(Zloćudne stavke nisu otkrivene)

siskara
2009-06-11, 14:29
sorry one number i forgot to wrote, Malwarebytes version is 1.2202.0.0

:red:

siskara
2009-06-11, 14:46
this is what Glary Utilities registry cleaner remowed:

[HKEY_LOCAL_MACHINE\\SOFTWARE\CToolbar]
"PathUserData"="C:\PROGRA~1\Crawler\UserData\"

[HKEY_CURRENT_USER\\Software\AVS4YOU\DVDPlayer\1.00]
"~tmpnewfile"="C:\Documents and Settings\Administrator\My Documents\My Videos\AVS4YOU\AVSVideotoGO\Kamera000_p1.avi"

[HKEY_USERS\\S-1-5-21-1078081533-1801674531-682003330-500\Software\AVS4YOU\DVDPlayer\1.00]
"~tmpnewfile"="C:\Documents and Settings\Administrator\My Documents\My Videos\AVS4YOU\AVSVideotoGO\Kamera000_p1.avi"

[HKEY_LOCAL_MACHINE\software\Windows]

[HKEY_LOCAL_MACHINE\software\Windows\CurrentVersion]

[HKEY_LOCAL_MACHINE\software\Windows\CurrentVersion\Explorer]

[HKEY_LOCAL_MACHINE\software\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_CLASSES_ROOT\CLSID\{E0B8F398-BB08-4298-87F0-34502693902E}]
""=""

[HKEY_CLASSES_ROOT\CLSID\{E0B8F398-BB08-4298-87F0-34502693902E}\LocalServer32]
""=""C:\Program Files\Messenger\msmsgs.exe""

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}]
""=""

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\LocalServer32]
""=""C:\Program Files\Messenger\msmsgs.exe""

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\ProgID]
""="Messenger.MsgrSessionManager.1"

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\Programmable]
""=""

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\TypeLib]
""="{53CED51D-432B-45B2-A3E0-0CE2C24235D4}"

[HKEY_CLASSES_ROOT\CLSID\{E3A3B1D9-5675-43c0-BF04-37BE11939FB7}\Version]
""="1.0"

[HKEY_CLASSES_ROOT\Typelib\{53CED51D-432B-45B2-A3E0-0CE2C24235D4}]
""=""

[HKEY_CLASSES_ROOT\Typelib\{53CED51D-432B-45B2-A3E0-0CE2C24235D4}\1.0]
""="Messenger Private Type Library"

[HKEY_CLASSES_ROOT\Typelib\{53CED51D-432B-45B2-A3E0-0CE2C24235D4}\1.0\0]

[HKEY_CLASSES_ROOT\Typelib\{53CED51D-432B-45B2-A3E0-0CE2C24235D4}\1.0\0\win32]
""="C:\Program Files\Messenger\msmsgs.exe\2"

siskara
2009-06-11, 14:49
this below is what Glary Utilities registry cleaner fixed (remowed):

note that few of them have same number...


[HKEY_CLASSES_ROOT\Interface\{2E50547B-A8AA-4f60-B57E-1F414711007B}]
""="IMessengerServices"

[HKEY_CLASSES_ROOT\Interface\{2E50547B-A8AA-4f60-B57E-1F414711007B}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2E50547B-A8AA-4f60-B57E-1F414711007B}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2E50547B-A8AA-4f60-B57E-1F414711007B}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{2E50547C-A8AA-4f60-B57E-1F414711007B}]
""="IMessengerService"

[HKEY_CLASSES_ROOT\Interface\{2E50547C-A8AA-4f60-B57E-1F414711007B}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2E50547C-A8AA-4f60-B57E-1F414711007B}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{2E50547C-A8AA-4f60-B57E-1F414711007B}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{305D86C6-6896-4099-91F5-CB7BA7733563}]
""="IMsgrSessionManager"

[HKEY_CLASSES_ROOT\Interface\{305D86C6-6896-4099-91F5-CB7BA7733563}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{305D86C6-6896-4099-91F5-CB7BA7733563}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{305D86C6-6896-4099-91F5-CB7BA7733563}\TypeLib]
""="{53CED51D-432B-45b2-A3E0-0CE2C24235D4}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}]
""="IMsgrLock"

[HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{36602AFA-4859-4DF5-820B-BF35ACAA16CA}\TypeLib]
""="{53CED51D-432B-45b2-A3E0-0CE2C24235D4}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{42D7CAFC-0167-4941-A5D8-9FD7F104C41A}]
""="IMsgrSession"

[HKEY_CLASSES_ROOT\Interface\{42D7CAFC-0167-4941-A5D8-9FD7F104C41A}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{42D7CAFC-0167-4941-A5D8-9FD7F104C41A}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{42D7CAFC-0167-4941-A5D8-9FD7F104C41A}\TypeLib]
""="{53CED51D-432B-45b2-A3E0-0CE2C24235D4}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}]
""="IMessengerPrivate"

[HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{7C95459B-C8E7-4605-B641-45EB06866659}\TypeLib]
""="{53CED51D-432B-45b2-A3E0-0CE2C24235D4}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D50C3186-0F89-48f8-B204-3604629DEE10}]
""="IMessenger"

[HKEY_CLASSES_ROOT\Interface\{D50C3186-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3186-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3186-0F89-48f8-B204-3604629DEE10}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D50C3286-0F89-48f8-B204-3604629DEE10}]
""="IMessenger2"

[HKEY_CLASSES_ROOT\Interface\{D50C3286-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3286-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3286-0F89-48f8-B204-3604629DEE10}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48f8-B204-3604629DEE10}]
""="IMessenger3"

[HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48f8-B204-3604629DEE10}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D50C3386-0F89-48f8-B204-3604629DEE10}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C8-FAD6-4885-B271-0DC5A584ADF8}]
""="IMessengerWindow"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C8-FAD6-4885-B271-0DC5A584ADF8}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C8-FAD6-4885-B271-0DC5A584ADF8}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C8-FAD6-4885-B271-0DC5A584ADF8}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C9-FAD6-4885-B271-0DC5A584ADF8}]
""="IMessengerConversationWnd"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C9-FAD6-4885-B271-0DC5A584ADF8}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C9-FAD6-4885-B271-0DC5A584ADF8}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{D6B0E4C9-FAD6-4885-B271-0DC5A584ADF8}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{E1AF1028-B884-44cb-A535-1C3C11A3D1DB}]
""="IMessengerGroups"

[HKEY_CLASSES_ROOT\Interface\{E1AF1028-B884-44cb-A535-1C3C11A3D1DB}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E1AF1028-B884-44cb-A535-1C3C11A3D1DB}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E1AF1028-B884-44cb-A535-1C3C11A3D1DB}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{E1AF1038-B884-44cb-A535-1C3C11A3D1DB}]
""="IMessengerGroup"

[HKEY_CLASSES_ROOT\Interface\{E1AF1038-B884-44cb-A535-1C3C11A3D1DB}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E1AF1038-B884-44cb-A535-1C3C11A3D1DB}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E1AF1038-B884-44cb-A535-1C3C11A3D1DB}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{E7479A0D-BB19-44a5-968F-6F41D93EE0BC}]
""="IMessengerContacts"

[HKEY_CLASSES_ROOT\Interface\{E7479A0D-BB19-44a5-968F-6F41D93EE0BC}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E7479A0D-BB19-44a5-968F-6F41D93EE0BC}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E7479A0D-BB19-44a5-968F-6F41D93EE0BC}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

[HKEY_CLASSES_ROOT\Interface\{E7479A0F-BB19-44a5-968F-6F41D93EE0BC}]
""="IMessengerContact"

[HKEY_CLASSES_ROOT\Interface\{E7479A0F-BB19-44a5-968F-6F41D93EE0BC}\ProxyStubClsid]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E7479A0F-BB19-44a5-968F-6F41D93EE0BC}\ProxyStubClsid32]
""="{00020424-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\Interface\{E7479A0F-BB19-44a5-968F-6F41D93EE0BC}\TypeLib]
""="{E02AD29E-80F5-46c6-B416-9B3EBDDF057E}"
"Version"="1.0"

siskara
2009-06-11, 14:51
so on that way I can copy and paste it in my message....

siskara
2009-06-11, 23:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:03, on 11.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1033&EXENAME=cli.exe&BRAND=WINDOWS
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Istraivanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF16863-5FF5-4227-9826-9F34B36E60B6}: NameServer = 85.255.114.51 85.255.112.158
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6989 bytes

shelf life
2009-06-12, 00:52
ok. we will get another download to use. I would suggest reading the guide on another computer that isnt infected if thats possible.
The tool is called Combofix. read the guide, download combofix to your desktop, disable any antivirus and anti-malware that might be running, double click the combofix icon on your desktop and follow the prompts. post the combofix log.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
the download links are in the guide.

If you cant download it then we will try something else. Are you able to use another computer for downloading?

siskara
2009-06-12, 19:30
ComboFix 09-06-11.06 - Administrator 12.06.2009 18:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.715 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090611-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-12 16:04 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-04 20:39 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-05-28 18:47 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-05-28 18:19 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 22:16 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-20 22:12 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
2009-04-18 12:47 . 2006-10-20 17:11 -------- d-----w- c:\program files\Valve
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-05-08 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 18:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-12 18:21
ComboFix-quarantined-files.txt 2009-06-12 16:21

Pre-Run: 27.582.144.512 bytes free
Post-Run: 27.570.438.144 bytes free

157 --- E O F --- 2007-12-21 18:34

siskara
2009-06-12, 22:09
I did not have any mesage for instaling Windows Recowery Console (what is that anyway?), I tried to instal it from microsoft web page but is blank.

Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:




ComboFix Recovery Console



At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.




ComboFix Recovery Console Finished



You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.

ComboFix will now disconnect your computer from the Internet

shelf life
2009-06-13, 03:08
hi,

The Windows recovery console is a command line shell for doing certain tasks with out booting fully into the Windows environment.
Did you try installing it by clicking yes to have combofix download it and install if for you? You did not get a message from combofix saying that it wasnt installed?

As for the malware on your machine, we are not making much progress. your web browsing is being redirected, thats why you cant get to certain web pages. Malwarebytes in my past experience is capable of removing this trojan. I dont know why its not removing yours. Combofix also did not remove any malware and i dont recognize any malware in the log.
Its best to remove malware as soon as possible, a infection that drags on for whatever reason is not good. Malware on a machine will "fetch" more malware. I would use the machine as little as possible and when not in use unplug your modem and/or router so there is no network connectivity.

run combofix again and see if you get the message about installing the recovery console.
we will also get another download to use. Its called SDfix, only runs in safe mode. Link and directions for Sdfix:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in your reply.

siskara
2009-06-13, 18:25
I did not have pop up window (ComboFix attach exsample in my pevious message) with question to instal WRC ....

Here below is report of SDfix:


SDFix: Version 1.240
Run by Administrator on sub 13.06.2009 at 17:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 17:12:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Disabled:Ad-Aware SE Personal"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Disabled:DNA"
"C:\\Program Files\\Free Download Manager\\fdmwi.exe"="C:\\Program Files\\Free Download Manager\\fdmwi.exe:*:Disabled:FDM remote control server"
"C:\\Program Files\\Free Download Manager\\fdm.exe"="C:\\Program Files\\Free Download Manager\\fdm.exe:*:Disabled:Free Download Manager"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Disabled:Nero Home"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 16 Apr 2007 89,280 A.SHR --- "C:\WINDOWS\system32\itxlf.dll"

Finished!

:thanks:

shelf life
2009-06-14, 01:49
hi,

see if you can locate this .dll in the system32 dir. if so you can upload it to a web site:

itxlf.dll

located here:
C:\WINDOWS\system32 (C:\WINDOWS\system32\itxlf.dll)

you can go to this website, browse for the file on your computer and click the send button to upload it. After the scan is done you can copy/paste the URL (http://....) in your reply.

upload file here:
http://www.virustotal.com/

we will also get another download to use;

Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

siskara
2009-06-15, 14:54
Virustotal.com is blank page.

this file itxfl.dll is 7 years old, I don't think that is a problem...

RootRepeal have some problems, it canot scan files and hidden services...

siskara
2009-06-15, 21:48
it's wos on special, so then it can't scan files and hidden services

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/15 20:42
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA91D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D7C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9CE1000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d606

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d05a

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cd3c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1e652

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1ce46

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cf30

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2014c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d8cc

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d362

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2064e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2008c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab200f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2076e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2072e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cbba

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d814

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d494

Hidden Services
-------------------
Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==

siskara
2009-06-15, 23:45
file itxfl.dll is active / running even if network connection is broken or in safe mode, this is importand system file, so I can't copyed on desktop or upload here....

siskara
2009-06-15, 23:48
Hidden Services
-------------------
Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs


but I don't think that is a virus...:fear:

siskara
2009-06-15, 23:51
svchost.exe

Generic Host Process for Win32 Services

but this file is created long time ago 4. avgust 2004, 0:56:58

siskara
2009-06-15, 23:56
maybe is virus in modem?

:funny:

shelf life
2009-06-16, 00:22
ok thanks for all the info. Not making any progress. Iam trying hard to find any malware in all your logs. The only clue is you cant get to certain websites and a ip address (fake server)85... in the hjt log. Thats a well known ip range that will redirect webpages, normally its no problem for malwarebytes to remove.

Do you use a router? Its possible the malware could have changed your DNS settings in the router itself, if you are using the default and well know log in/password for the router. Log in to the router and check its DNS settings.

does your antivirus update ok?

we will get another download, DDS:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool. When done, DDS.txt will open. Save both reports
to your desktop. Copy/paste the first report in your reply. dont post attach.txt.

siskara
2009-06-16, 19:04
DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 18:02:11,20 on uto 16.06.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.674 [GMT 2:00]

AV: avast! antivirus 4.8.1335 [VPS 090615-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ba/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
dPolicies-explorer: NoFileUrl = 0 (0x0)
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\free download manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\free download manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\free download manager\dlall.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {7AF16863-5FF5-4227-9826-9F34B36E60B6} = 85.255.114.51 85.255.112.158
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-4 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-4-12 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-4 138680]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-4 352920]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [2007-6-29 611584]
S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
S2 ekqwsf;Task Installer;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-4 254040]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\windows live\messenger\usnsvc.exe [2007-10-18 98328]

=============== Created Last 30 ================

2009-06-13 16:56 <DIR> --d----- c:\windows\ERUNT
2009-06-13 16:53 <DIR> --d----- C:\SDFix
2009-06-12 21:33 244 a---h--- C:\sqmnoopt01.sqm
2009-06-12 21:33 232 a---h--- C:\sqmdata01.sqm
2009-06-12 18:23 <DIR> --ds---- c:\windows\Cookies
2009-06-12 18:14 161,792 a------- c:\windows\SWREG.exe
2009-06-12 18:14 155,136 a------- c:\windows\PEV.exe
2009-06-12 18:14 98,816 a------- c:\windows\sed.exe
2009-06-10 01:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-07 10:45 244 a---h--- C:\sqmnoopt00.sqm
2009-06-07 10:45 232 a---h--- C:\sqmdata00.sqm
2009-06-07 09:56 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2007-04-16 17:52 89,280 a--shr-- c:\windows\system32\itxlf.dll

============= FINISH: 18:03:02,42 ===============

siskara
2009-06-16, 19:05
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20.10.2006 17:20:07
System Uptime: 16.6.2009 17:57:02 (1 hours ago)

Motherboard: | | P4X400-8235
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Socket 478 | 2424/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 25,539 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2: 12.6.2009 18:32:43 - Kontrolna točka sustava
RP3: 14.6.2009 0:26:04 - Kontrolna točka sustava

==== Installed Programs ======================

ACDSee 10 Photo Manager
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
avast! Antivirus
CCleaner (remove only)
Counter-Strike 1.6
DNA
Free Download Manager 2.5 Language pack
Glary Utilities 2.2.2.66
HijackThis 2.0.2
i-Look 111
iTunes
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 8
neroxml
Oblivion
Realtek AC'97 Audio
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Skype 3.8
Spyware Terminator
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VCRedistSetup
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows paket jezičnog sučelja
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Windows XP SP2 LIP update
WinRAR archiver
WinZip 11.1

==== Event Viewer Messages From Past Week ========

15.6.2009 21:13:50, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
15.6.2009 21:13:40, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
15.6.2009 20:33:16, error: Server [2505] - The server could not bind to the transport \Device\NetbiosSmb because another computer on the network has the same name. The server could not start.
15.6.2009 13:27:21, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
13.6.2009 16:57:01, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 Tcpip
13.6.2009 16:57:01, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:56:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
13.6.2009 16:56:03, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13.6.2009 16:56:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12.6.2009 18:46:37, error: Service Control Manager [7023] - The Task Installer service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12.6.2009 18:42:18, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {E8933C4B-2C90-4A04-A677-E958D9509F1A}
12.6.2009 18:15:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
11.6.2009 22:25:36, error: Service Control Manager [7023] - The Akamai service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

siskara
2009-06-16, 19:06
avast update is ok, allways

siskara
2009-06-16, 23:02
and see what BLADE81 wrote... Im affraid...:sick:

siskara
2009-06-17, 00:32
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 23:26:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAAC1D606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAAC1D05A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAAC1CD3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAAC1E652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAAC1CE46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAAC1CF30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAA6A14C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAAC1D8CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAAC1D362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAA6A64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAA6A08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAA6A0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAA6A76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAA6A72E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAAC1CBBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAAC1D814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAAC1D494]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00D89DC4
.text C:\WINDOWS\System32\svchost.exe[928] NETAPI32.dll!NetpwPathCanonicalize 5B86A0F9 5 Bytes JMP 00D89D64
.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 007F9DC4

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ekqwsf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----:rockon:

shelf life
2009-06-17, 00:51
hi,

ok thanks for all the info.GMER was going to be next. Iam not familiar with that rootkit, it was back in the rootrepeal log:

Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

now the bad news; root kits can hide from traditional malware tools as all this posting shows. Once a machine as been compromised to this extent the best thing to do is reformat/reinstall windows. the machine can no longer be trusted.

this MS advice is from 2004 but is still true:
http://technet.microsoft.com/en-us/library/cc512587.aspx

siskara
2009-06-19, 02:06
I will ask my coleaque to help me refresh modem / router cross network and setup it again....

This few web pages don't bothers me so much, I will not reinstal windows because of that stupid virus....

I still have acsess to my favorite web pages and machine PC is quite fast...

thanks...

:greeting:

shelf life
2009-06-19, 05:01
hi siskara,

Resetting your router wont do any good. You have a rootkit on your machine.
This isnt like adware or something, its a potential gateway to your machine, network and everything on them. you could be "pwnd". Your machine could be used to relay spam, for communications or directed attacks against others. Your own personal and financial well being could be at risk.

I would reformat/reinstall Windows, If you dont want to do that then i will attempt to help you remove it using combofix if you want.

siskara
2009-06-19, 19:46
svchost.exe: task manager - in process:

svchost.exe - local service - 4.452 K
svchost.exe - network service - 4.080 K
svchost.exe - system - 19.096 K
svchost.exe - network service - 4.204 K
svchost.exe - system - 4.8024 K
svchost.exe - system - 4.620 K

when I try to shutdown process, nothing happened (still some web pages are blank), some of this svchost.exe can't be shutdown (importand system file), some of them when I shutdown it - put pop up window: 30 sec until shutdown PC and then PC after coundown shuts down!

I don't have any financial informations and did not give to anyone my bank account or something like that, that I never use on PC.

If some file is hidden that could mean that is file very importand to system, not nessesary is that could be a virus.

I've heard that router can have viruses also, because our main server in one bigger city are not quite well protected!

We will harm to PC if we somehow delete svchost.exe, did You found something else strange in this reports?

siskara
2009-06-19, 19:50
And ask him a fewor to look my reports?:thanks:

siskara
2009-06-19, 19:52
Spybot with virus base???? even a old version will help I think, because that is best spyware, adaware, antivirus scanner and removal!
:crowned:

shelf life
2009-06-21, 00:07
we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
C:\WINDOWS\system32\itxlf.dll

NetSvcs::
ekqwsf



Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log.

siskara
2009-06-22, 00:18
remember this? :I forgot to wrote that one option is missing on desktop right click - propertys: no desktop option (where You can chose background) and there is customise desktop option where You can choose 4 main icons - no such option.

I have that option now, don't know when it start to work.... sorry...

But we making some progress.

siskara
2009-06-22, 00:35
ComboFix 09-06-20.04 - Administrator 21.06.2009 23:23.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.696 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090620-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\itxlf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\itxlf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ekqwsf
-------\Service_ekqwsf


((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.

2009-06-16 18:58 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-06-13 14:56 . 2009-06-13 14:57 -------- d-----w- c:\windows\ERUNT
2009-06-13 14:53 . 2009-06-13 15:15 -------- d-----w- C:\SDFix
2009-06-12 16:23 . 2009-06-12 16:23 -------- d-s---w- c:\windows\Cookies
2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 19:54 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-06-16 19:54 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-06-16 19:54 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-14 18:30 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-14 18:30 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 22:16 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_16.18.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-21 21:27 . 2009-06-21 21:27 16384 c:\windows\Temp\Perflib_Perfdata_658.dat
+ 2009-06-21 21:27 . 2009-06-21 21:27 16384 c:\windows\Temp\Perflib_Perfdata_4c0.dat
- 2009-05-31 21:34 . 2009-05-31 21:34 29926 c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-06-12 19:30 . 2009-06-12 19:30 29926 c:\windows\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2009-06-12 16:23 . 2009-06-12 16:06 16384 c:\windows\Cookies\index.dat
+ 2007-01-31 13:33 . 2007-01-31 13:33 5632 c:\windows\system32\drivers\avgarkt.sys
+ 2009-06-13 14:57 . 2009-06-13 14:57 385024 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2009-06-13 14:57 . 2008-08-07 13:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2009-06-13 14:57 . 2009-06-13 14:57 385024 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-06-13 14:57 . 2008-08-07 13:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-06-13 14:57 . 2009-06-13 14:57 8282112 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
+ 2009-06-13 14:57 . 2009-06-13 14:57 8282112 c:\windows\ERUNT\SDFIX\Users\00000001\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2009-05-08 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2604:TCP"= 2604:TCP:cocrho

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S2 ekqwsf;Task Installer;c:\windows\system32\svchost.exe -k netsvcs [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ekqwsf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekqwsf]
"ServiceDll"="c:\windows\system32\itxlf.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-21 23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-21 21:33
ComboFix2.txt 2009-06-21 21:12
ComboFix3.txt 2009-06-12 16:38
ComboFix4.txt 2009-06-12 16:21

Pre-Run: 27.353.030.656 bytes free
Post-Run: 27.259.138.048 bytes free

196 --- E O F --- 2007-12-21 18:34

siskara
2009-06-22, 02:21
:bigthumb:virustotal and some others web pages are now ok, but safer-networking, malwarebytes, nod 32 - eset, and some more are still blocked....
:confused:

shelf life
2009-06-22, 05:25
ok, run GMER again:

doubleclick the gmer icon to start.
if you get a message box that says:

warning!!
Gmer has found system modification....
do you want to fully scan your system?

--->select NO<---

then click on the "scan" button
Dont check the 'show all' option
gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK
When finished click "Save" to save log to your desktop
Copy/Paste the saved Gmer log in your reply.

siskara
2009-06-24, 01:20
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-24 00:19:53
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAACC9606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAACC905A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAACC8D3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAACCA652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAACC8E46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAACC8F30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAABCC14C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAACC98CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAACC9362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAABCC64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAABCC08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAABCC0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAABCC76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAABCC72E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAACC8BBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAACC9814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAACC9494]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ekqwsf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----

shelf life
2009-06-24, 02:13
ok we will use combofix again;

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:



File::
C:\WINDOWS\system32\itxlf.dll

Driver::
ekqwsf

NetSvcs::
ekqwsf

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekqwsf]


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log when finished. Post the new combofix log.

siskara
2009-06-24, 18:29
ComboFix 09-06-20.04 - Administrator 24.06.2009 17:16.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.704 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090623-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\itxlf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EKQWSF
-------\Service_ekqwsf


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-23 20:46 . 2004-08-03 21:10 38912 -c--a-w- c:\windows\system32\dllcache\avc.sys
2009-06-23 20:45 . 2001-08-17 12:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-06-23 20:44 . 2001-08-17 12:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-06-16 18:58 . 2007-01-18 12:00 3968 ----a-w- c:\windows\system32\drivers\AvgArCln.sys
2009-06-13 14:56 . 2009-06-13 14:57 -------- d-----w- c:\windows\ERUNT
2009-06-13 14:53 . 2009-06-13 15:15 -------- d-----w- C:\SDFix
2009-06-12 16:23 . 2009-06-12 16:23 -------- d-s---w- c:\windows\Cookies
2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 23:59 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-06-21 23:56 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-21 23:56 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-06-21 23:53 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-06-14 18:30 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-14 18:30 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-05-08 1783808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\hl.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
uInternet Settings,ProxyOverride = *.local
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 17:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-24 17:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 15:27
ComboFix2.txt 2009-06-21 21:34
ComboFix3.txt 2009-06-21 21:12
ComboFix4.txt 2009-06-12 16:38
ComboFix5.txt 2009-06-24 15:14

Pre-Run: 27.283.005.440 bytes free
Post-Run: 27.268.726.784 bytes free

165 --- E O F --- 2007-12-21 18:34

siskara
2009-06-24, 18:35
do we must run Gmer again?

siskara
2009-06-24, 18:51
All this time I don't have updates, instead blank page internet browser give me google main page on english, but http://update.microsoft.com/ adress in up on adress bar.... and below on page is something else....

shelf life
2009-06-25, 02:24
Yes Gmer once again.

siskara
2009-06-26, 21:38
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-26 20:37:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAAC1D606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAAC1D05A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAAC1CD3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAAC1E652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAAC1CE46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAAC1CF30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAB2014C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAAC1D8CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAAC1D362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAB2064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAB2008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAB200F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAB2076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAB2072E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAAC1CBBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAAC1D814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAAC1D494]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----

shelf life
2009-06-27, 14:43
dont see anymore reference to the rootkit. No guarantees. Check MBAM for updates and do a scan with it and post the log. You use internet explorer for browsing?

siskara
2009-06-28, 12:30
127.0.0.1 localhost
could be a virus

also and this below:

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1



Malwarebytes did not found anything, nothing....

siskara
2009-06-28, 12:31
but situation is same with Opera or Modzilla....

shelf life
2009-06-28, 14:40
System@OODEFRAG10.00.00.01WORKSTATION
i have no idea what that entry is about. I have found references to it and it appears to be harmless. A little late for this but you should try installing the Windows RC.

see:
Manually installing the Windows Recovery Console
located here:
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

For IE you can try this:
start>settings>control panel>internet options>
Under the advanced tab click on reset internet setting.

siskara
2009-06-28, 22:07
and it works, but did not found anything....:sad:

shelf life
2009-06-29, 04:32
Did you try resetting IE?
you can also do this again;

go to start>run and type in cmd
click ok or enter
at the blinking prompt _
copy/paste in whats below;



ipconfig /flushdns


you can also check your routers DNS settings and make sure they havent been changed by the malware. this is possible if you are using the default login for your router and have never changed it.

siskara
2009-06-29, 21:01
I just to have before IE7 and when this problem begin I installed IE8, but after few days I uninstall IE, and it's worked as a defeault IE (IE6).
Now after installing IE7 I reset router, and ipconfig /flushdns.
I have service pack 2 and never thought that I need service pack 3 (because of another 500mb unessesary files).
I can go on that web sites that You mentioned but can't download anything, after I press download button or if download don't starts (manually) press ˝here˝ - page is blank.

:bighug:

siskara
2009-06-29, 21:06
internet service and ask is this DNS numbers are ok:

85.255.114.51 - main
85.255.112.158 - reserve

siskara
2009-06-29, 21:09
but all is same like before.....


:confused::sad::red::oops::hair::buried::banghead::zombie::slap:

shelf life
2009-06-30, 02:09
those ip's are being used as your DNS lookup, normally DNS is provided by your ISP, malware has changed yours. They are redirecting your web browsing. Where are you seeing those? If those are from your router then i would set it back to its factory defaults and setup a new user name/password. The router vendors website would have this information on resetting the router.
Or for now take the router out of the picture and connect machine directly to modem. Then get the updates. This would also be a check to see if all the on borad malware is gone. Also scan and post a new hjt log.

siskara
2009-07-01, 21:02
˝Lists the DNS servers by IP address that this computer queries to resolve DNS domain names used on this computer. DNS servers are queried in the order in which they are listed here. The local setting is used only if the associated Group Policy is disabled or unspecified.˝ (F1 help file)

˝ normally DNS is provided by your ISP, malware has changed yours.˝ - You are right!

those numbers are from router properitys - Internet Protocol - and when I check those numbers and call my frend, he tould me that I should swich to : get automaticly adress for DNS, and settings for IP adress is on Automatic but for DNS wos on manual, after swiching to automatic.........



now is all OK! There is no adreses of DNS servers previously used, no those numbers anywere, I can't find them. :wav:

Maybe this have some connection with our main Internet server because it's 1 day in this month, and I heard that main server every month have refresh, but that is not importand now, now all my problems are gone, I sucesfully upgraded Malwarebytes and Spybot and go to Windows update site... :2thumb:

Now only thing what shuld I do is to install Recovery Console...

Thanks on your last post, that resolve problem after all this days!

Thanks again.:angel:

shelf life
2009-07-03, 20:06
hi siskara,

Ok good. Looks like you are all set now. You don't have to install the recovery console now. Its installed with combofix just in case it needs to be used for some reason. Most likely you would never have to use it on your own.

To remove combofix we will use another tool: OTM
Download to your desktop, doble click the icon to start. Click on the green Cleanup! button, select Yes to start.

http://www.infospyware.com/Software/click.php?id=61

One last hing is to make a new restore point. The how and why:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.


2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot


Last: Some tips for reducing you risk to malware:


10 Tips for Reducing Your Risk To Malware:

The Short Version
In no special order:

1) It is essential to Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. This is also true for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and your then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, IRC, Chat Rooms or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software, media players or codecs to your computer--for any reason.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and understand the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) Warez, cracks etc are very popular for carrying malware payloads. Avoid. If you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.

siskara
2009-07-04, 01:00
IE 8, service pack 3 .... etc....

I done (and will be on my mind) all that what You wroted...

I use often disc cleanup and CCleaner and Glary Utilities, sometimes (once on moth) I use disc defragmenter.... :thanks: