View Full Version : Major Redirect problem/Won't open spybot
Hello,
So i have a major problem with my computer. It redirects me away from most adware and spybot search pages. Launchs a browser window with advertisments and has played a few audio files in the background of my computer.
I can't open Spybot.
It says "Can't Connect to Server" with AdAware.
CCleaner will run and i have deleted some things with this.
Spyware Terminator will run and delete things, but doesn't help.
I have tried to download Malwarebyes antimalware but it freezes during install. I have even tried doing it in "SAFE MODE" and saving it under a diffferent exe name, but that doesn't help.
Fix Vundo- runs but doesn't help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:38 AM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 3432 bytes
Please help. Mathers
Bio-Hazard
2009-07-24, 16:35
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:
Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply
STEP 2
RootRepeal - Rootkit Detector
Download RootRepeal.zip (http://rootrepeal.googlepages.com/RootRepeal.zip) and unzip it to your Desktop.
Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program
Next Reply
Please reply with:
DDS.txt
Attach.txt
RootRepeal.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2008 11:20:25 AM
System Uptime: 7/25/2009 12:09:52 AM (0 hours ago)
Motherboard: Dell Inc. | | 0TT347
Processor: Intel(R) Core(TM)2 Duo CPU T5470 @ 1.60GHz | Microprocessor | 1180/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 146 GiB total, 25.25 GiB free.
D: is CDROM (CDFS)
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1490 Dual Band WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1490 Dual Band WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Service: BCM43XX
==== System Restore Points ===================
RP1: 7/22/2009 1:10:10 AM - System Checkpoint
RP2: 7/22/2009 1:10:11 AM - System Checkpoint
RP3: 7/22/2009 1:10:11 AM - Software Distribution Service 3.0
RP4: 7/22/2009 1:10:11 AM - System Checkpoint
RP5: 7/22/2009 1:10:11 AM - System Checkpoint
RP6: 7/22/2009 1:10:11 AM - System Checkpoint
RP7: 7/22/2009 1:10:12 AM - System Checkpoint
RP8: 7/22/2009 1:10:12 AM - System Checkpoint
RP9: 7/22/2009 1:10:12 AM - System Checkpoint
RP10: 7/22/2009 1:10:12 AM - System Checkpoint
RP11: 7/22/2009 1:10:13 AM - System Checkpoint
RP12: 7/22/2009 1:10:13 AM - System Checkpoint
RP13: 7/22/2009 1:10:13 AM - System Checkpoint
RP14: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP15: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP16: 7/22/2009 1:10:15 AM - System Checkpoint
RP17: 7/22/2009 1:10:15 AM - Software Distribution Service 3.0
RP18: 7/22/2009 1:10:15 AM - System Checkpoint
RP19: 7/22/2009 1:10:16 AM - System Checkpoint
RP20: 7/22/2009 1:10:16 AM - System Checkpoint
RP21: 7/22/2009 1:10:17 AM - System Checkpoint
RP22: 7/22/2009 1:10:17 AM - System Checkpoint
RP23: 7/22/2009 1:10:18 AM - System Checkpoint
RP24: 7/22/2009 1:10:18 AM - System Checkpoint
RP25: 7/22/2009 1:10:19 AM - System Checkpoint
RP26: 7/22/2009 1:10:19 AM - System Checkpoint
RP27: 7/22/2009 1:10:19 AM - System Checkpoint
RP28: 7/22/2009 1:10:20 AM - System Checkpoint
RP29: 7/22/2009 1:10:20 AM - System Checkpoint
RP30: 7/22/2009 1:10:20 AM - System Checkpoint
RP31: 7/22/2009 1:10:21 AM - Software Distribution Service 3.0
RP32: 7/22/2009 1:10:21 AM - System Checkpoint
RP33: 7/22/2009 1:10:22 AM - System Checkpoint
RP34: 7/22/2009 1:10:22 AM - System Checkpoint
==== Installed Programs ======================
==== Event Viewer Messages From Past Week ========
==== End Of File ===========================
And
DDS (Ver_09-06-26.01) - NTFSx86
Run by Matthew Brashear4 at 0:19:54.76 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1338 [GMT -7:00]
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090724-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew Brashear4\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60347
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {02F7A7EB-89F8-47FF-A75C-52C1060EC144} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-22 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-23 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-24 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-29 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-24 138680]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-7-23 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-7-23 826600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-7-23 28560]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-24 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-24 352920]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-29 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-29 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-24 24652]
=============== Created Last 30 ================
2009-07-24 04:22 <DIR> --d----- c:\program files\Trend Micro
2009-07-24 03:18 <DIR> --d----- c:\program files\Safer Networking
2009-07-23 05:50 <DIR> --d----- c:\docume~1\matthe~1\applic~1\GetRightToGo
2009-07-23 05:10 <DIR> --d----- c:\program files\WinClamAVShield
2009-07-23 05:07 <DIR> --d----- c:\program files\Crawler
2009-07-23 05:07 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\program files\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-07-23 03:59 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 03:14 <DIR> --d----- c:\docume~1\matthe~1\applic~1\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-07-23 03:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-22 06:51 <DIR> --d----- c:\program files\Panda Security
2009-07-22 04:24 <DIR> --d----- c:\program files\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-22 03:44 <DIR> --d----- c:\program files\common files\iS3
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-22 03:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 03:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
==================== Find3M ====================
2008-12-26 13:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122620081227\index.dat
============= FINISH: 0:21:42.00 ===============
Ok, i had a problem getting this to complete. It says "could not read system registry. Contact the author"
But here is what it came up with.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/25 00:28
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C770000 Size: 778240 File Visible: No Signed: -
Status: -
Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBA780000 Size: 2560 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5F74000 Size: 49152 File Visible: No Signed: -
Status: -
Stealth Objects
-------------------
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: winlogon.exe (PID: 752) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: winlogon.exe (PID: 752) Address: 0x00980000 Address: 49152
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: services.exe (PID: 800) Address: 0x00a80000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: services.exe (PID: 800) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: lsass.exe (PID: 812) Address: 0x00b10000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: lsass.exe (PID: 812) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 988) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UACbirtlropgx.dll]
Process: svchost.exe (PID: 988) Address: 0x00bc0000 Address: 73728
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00e60000 Address: 45056
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x03100000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x03460000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1080) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1080) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1080) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1080) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x00bd0000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1224) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1224) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1224) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1320) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1320) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1320) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1320) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1408) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1408) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1408) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1408) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x00e30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x00d30000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x01030000 Address: 49152
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x00e30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashServ.exe (PID: 1700) Address: 0x00e40000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashServ.exe (PID: 1700) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00d50000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00e00000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x10000000 Address: 77824
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashDisp.exe (PID: 356) Address: 0x00e40000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashDisp.exe (PID: 356) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ctfmon.exe (PID: 372) Address: 0x00d90000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ctfmon.exe (PID: 372) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x00d80000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1740) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1740) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1740) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1740) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1884) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1884) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1884) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1884) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2008) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2008) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2008) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2008) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x01160000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2804) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2804) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2804) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2804) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x00c20000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 3028) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 3028) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 3028) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 3028) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: alg.exe (PID: 2172) Address: 0x00b30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: alg.exe (PID: 2172) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3516) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3572) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x01070000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3500) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x00fc0000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x10000000 Address: 45056
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89d16020 Address: 3223
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89d114b8 Address: 2889
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89d095c8 Address: 127
Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89d00698 Address: 2409
Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89e22b20 Address: 1248
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e27c20 Address: 139
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d76870 Address: 1937
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89eba180 Address: 293
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89e8b940 Address: 1729
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ef8358 Address: 3240
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e8d2d8 Address: 3369
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e8b200 Address: 719
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a843698 Address: 2408
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89eec170 Address: 3728
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec9e70 Address: 401
Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e67558 Address: 2728
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e609e8 Address: 907
Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89edf0f0 Address: 2735
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89f13190 Address: 551
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a84afa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e7f600 Address: 2560
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89ee6fa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a847178 Address: 3720
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e93220 Address: 3553
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89e87580 Address: 1337
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89b01098 Address: 958
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89ed2fa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89f02348 Address: 1706
==EOF==
Bio-Hazard
2009-07-25, 14:55
Download and Run ComboFix
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
Double click on Combo-Fix.exe and follow the prompts.
When finished, it will produce a report for you (C:\ComboFix.txt )
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
Thank you so much... by the way.
ComboFix 09-07-25.04 - Matthew Brashear4 07/26/2009 0:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1428 [GMT -7:00]
Running from: c:\documents and settings\Matthew Brashear4\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Matthew Brashear4\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Tools AntiVirus.lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\9446.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACavncnkdabu.sys
c:\windows\system32\net.net
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACbaoylvdkmr.dat
c:\windows\system32\UACbirtlropgx.dll
c:\windows\system32\UACessxmqfulh.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmkgmmtowdl.db
c:\windows\system32\UACsnoeypbqbp.dll
c:\windows\system32\UACtlaromxdpx.dll
c:\windows\system32\UACyvyyewqxvn.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.
2009-07-24 11:43 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 11:43 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 11:43 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 11:43 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 11:43 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 11:43 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 11:43 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 11:43 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 11:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 11:43 . 2009-07-24 11:43 -------- d-----w- c:\program files\Alwil Software
2009-07-24 11:22 . 2009-07-24 11:22 -------- d-----w- c:\program files\Trend Micro
2009-07-24 10:18 . 2009-07-24 10:18 -------- d-----w- c:\program files\Safer Networking
2009-07-23 12:51 . 2009-07-23 12:51 1152 ----a-w- c:\windows\system32\windrv.sys
2009-07-23 12:50 . 2009-07-23 12:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\GetRightToGo
2009-07-23 12:10 . 2009-07-24 09:13 -------- d-----w- c:\program files\WinClamAVShield
2009-07-23 12:07 . 2009-07-23 12:07 -------- d-----w- c:\program files\Crawler
2009-07-23 12:07 . 2009-07-25 07:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Spyware Terminator
2009-07-23 12:07 . 2009-07-23 12:07 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-23 12:07 . 2009-07-26 07:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2009-07-23 12:07 . 2009-07-24 12:38 -------- d-----w- c:\program files\Spyware Terminator
2009-07-23 10:59 . 2009-07-23 10:59 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 10:17 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-23 10:17 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-23 10:14 . 2009-07-23 10:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\PC Tools
2009-07-23 10:13 . 2009-07-23 10:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-07-23 10:13 . 2009-02-10 17:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-07-23 10:13 . 2009-07-26 07:57 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-07-23 10:13 . 2009-07-23 10:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-07-22 13:51 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-22 13:51 . 2009-07-22 13:51 -------- d-----w- c:\program files\Panda Security
2009-07-22 13:41 . 2009-07-22 13:41 -------- d-----w- c:\program files\Windows Defender
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\program files\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Webroot
2009-07-22 11:24 . 2009-05-13 22:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-07-22 11:22 . 2009-07-22 11:31 164 ----a-w- c:\windows\install.dat
2009-07-22 10:44 . 2009-07-22 10:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SITEguard
2009-07-22 10:44 . 2009-07-22 11:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-22 10:44 . 2009-07-22 10:44 -------- d-----w- c:\program files\Common Files\iS3
2009-07-22 10:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 10:03 . 2009-07-24 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 10:03 . 2009-07-22 10:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-22 10:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 09:58 . 2009-06-30 09:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-30 09:58 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-30 07:59 . 2009-06-30 07:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-30 05:57 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 07:31 . 2008-05-13 00:24 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-25 11:52 . 2008-07-19 06:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\BitTorrent
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-22 12:12 . 2009-01-09 23:02 -------- d-----w- c:\program files\AIM Toolbar
2009-07-22 10:48 . 2009-07-22 10:45 2296 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-22 10:46 . 2009-07-22 10:45 736 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-08 19:56 . 2009-01-09 23:57 -------- d-----w- c:\program files\Coupons
2009-06-30 05:52 . 2008-05-10 19:05 -------- d-----w- c:\program files\Lavasoft
2009-06-30 05:52 . 2008-03-13 08:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-30 05:40 . 2008-12-24 09:56 -------- d-----w- c:\program files\CCleaner
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 13:02 . 2007-12-21 02:38 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 10:40 . 2009-05-13 10:40 34062 ----a-w- c:\documents and settings\Matthew Brashear4\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-13 05:15 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 16:57 . 2008-07-29 17:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 16:57 . 2008-07-29 17:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 18:51 345600 ----a-w- c:\windows\system32\localspl.dll
2008-02-02 10:07 . 2008-03-19 02:40 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-03-19 02:40 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-03-19 02:40 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-03-19 02:40 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-03-19 02:40 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-07-23 2173440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TrkWks"=2 (0x2)
"STacSV"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"dmadmin"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\grandMA onPC 5.831\\gmaOnPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 10:57 PM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/22/2009 6:51 AM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/23/2009 3:17 AM 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 4:43 AM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/29/2008 10:11 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/29/2008 10:11 AM 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/23/2009 5:07 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 4:43 AM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/29/2008 10:11 AM 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/29/2008 10:11 AM 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/24/2008 7:46 PM 24652]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SP_RSDRV2
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\docume~1\MATTHE~1\APPLIC~1\Mozilla\Firefox\Profiles\cvu6mhm6.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 81
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 81
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 81
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 00:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-26 1:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 08:09
Pre-Run: 27,424,641,024 bytes free
Post-Run: 27,885,830,144 bytes free
234 --- E O F --- 2009-07-24 04:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:29 AM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 3853 bytes
Bio-Hazard
2009-07-26, 12:26
Remove one of your Anti Virus programs.
You are operating multiple Anti Virus programs on your computer:
PCTools Antivirus
AVAST
There is also signs of AVG
Spywareterminator also has option to have ClamAV
It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.
Install Recovery Console via Combofix
***************************************************
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
***************************************************
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
http://i266.photobucket.com/albums/ii277/sUBs_/KB310994.gif
Download the file & save it as it's originally named.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
http://img.photobucket.com/albums/v706/ried7/whatnext.png
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.
Next Reply
Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log
Sorry i am swamped at work... I will post the next data soon. Is that OK? Thank you so much!!!
Bio-Hazard
2009-08-01, 00:51
Hello!
That is ok. Keep me posted on your progress.
So, on the windows webpage it is asking me to download "Boot Disks"? Is this what i want?
ALso, i checked my control panel and it appears i am running Service Pack 3, which is not an option....?
And is this going to erase my harddrive? Do i need to remove all my data and files?
So what is the best virus program and spamware/malware program???
ComboFix 09-08-04.03 - Matthew Brashear4 08/05/2009 3:03.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1608 [GMT -7:00]
Running from: c:\documents and settings\Matthew Brashear4\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Matthew Brashear4\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1335 [VPS 090804-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\MATTHE~1\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Matthew Brashear4\Local Settings\temp\catchme.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.
2009-07-30 04:43 . 2009-07-30 04:43 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Malwarebytes
2009-07-24 11:43 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 11:43 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 11:43 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 11:43 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 11:43 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 11:43 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 11:43 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 11:43 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 11:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 11:43 . 2009-07-24 11:43 -------- d-----w- c:\program files\Alwil Software
2009-07-24 11:22 . 2009-07-24 11:22 -------- d-----w- c:\program files\Trend Micro
2009-07-24 10:18 . 2009-07-24 10:18 -------- d-----w- c:\program files\Safer Networking
2009-07-23 12:51 . 2009-07-23 12:51 1152 ----a-w- c:\windows\system32\windrv.sys
2009-07-23 12:50 . 2009-07-23 12:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\GetRightToGo
2009-07-22 13:51 . 2009-07-30 05:52 -------- d-----w- c:\program files\Panda Security
2009-07-22 13:41 . 2009-07-22 13:41 -------- d-----w- c:\program files\Windows Defender
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\program files\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-07-22 11:24 . 2009-05-13 22:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-07-22 11:22 . 2009-07-22 11:31 164 ----a-w- c:\windows\install.dat
2009-07-22 10:44 . 2009-07-22 10:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-07-22 10:44 . 2009-07-22 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-07-22 10:44 . 2009-07-22 10:44 -------- d-----w- c:\program files\Common Files\iS3
2009-07-22 10:03 . 2009-07-30 04:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 10:01 . 2008-07-19 06:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\BitTorrent
2009-07-30 04:49 . 2008-07-29 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-30 04:38 . 2008-05-10 19:05 -------- d-----w- c:\program files\Lavasoft
2009-07-30 04:38 . 2008-03-13 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-26 08:27 . 2008-07-29 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-26 07:31 . 2008-05-13 00:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-22 12:12 . 2009-01-09 23:02 -------- d-----w- c:\program files\AIM Toolbar
2009-07-22 10:48 . 2009-07-22 10:45 2296 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-22 10:46 . 2009-07-22 10:45 736 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-08 19:56 . 2009-01-09 23:57 -------- d-----w- c:\program files\Coupons
2009-07-03 17:09 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 05:40 . 2008-12-24 09:56 -------- d-----w- c:\program files\CCleaner
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 13:02 . 2007-12-21 02:38 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 08:36 . 2009-07-31 17:18 2884832 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\vwpt.exe
2009-05-19 08:36 . 2009-07-31 17:18 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\unregister.bat
2009-05-19 08:36 . 2009-07-31 17:18 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\register.bat
2009-05-19 08:36 . 2009-07-31 17:18 1484856 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\toolbar.exe
2009-05-19 08:36 . 2009-07-31 17:18 97072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\bsetutil.exe
2009-05-19 08:36 . 2009-07-31 17:18 142040 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\alsetup.exe
2009-05-19 08:36 . 2009-07-31 17:18 30512 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\Uninstaller.exe
2009-05-19 08:36 . 2009-07-31 17:18 111920 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4426.0.4\AOLSearch.dll
2009-05-13 10:40 . 2009-05-13 10:40 34062 ----a-w- c:\documents and settings\Matthew Brashear4\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-07 15:32 . 2004-08-10 18:51 345600 ----a-w- c:\windows\system32\localspl.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-26_08.03.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:41 . 2009-07-12 02:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-08-05 10:10 . 2009-08-05 10:10 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
- 2004-08-10 18:51 . 2009-07-26 08:02 63418 c:\windows\system32\perfc009.dat
+ 2004-08-10 18:51 . 2009-08-05 10:15 63418 c:\windows\system32\perfc009.dat
+ 2007-08-13 23:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2009-03-08 11:31 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-10 18:51 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-10 18:51 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
- 2009-06-14 15:18 . 2009-04-30 21:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-14 15:18 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-01-23 15:24 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-01-23 15:24 . 2009-03-08 11:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-12-21 02:27 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2007-12-21 02:27 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 12800 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-07-29 10:01 . 2009-03-08 11:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
- 2004-08-10 18:51 . 2009-07-26 08:02 402974 c:\windows\system32\perfh009.dat
+ 2004-08-10 18:51 . 2009-08-05 10:15 402974 c:\windows\system32\perfh009.dat
+ 2004-08-10 18:51 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2007-08-13 23:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2009-03-08 11:32 594432 c:\windows\system32\msfeeds.dll
+ 2004-08-10 18:51 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 18:51 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 18:51 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
- 2004-08-10 18:51 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
- 2007-12-21 02:27 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2007-12-21 02:27 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:44 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
- 2008-01-23 15:24 . 2009-03-08 11:32 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-01-23 15:24 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-06-14 15:18 . 2009-04-30 21:22 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-14 15:18 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2007-12-21 02:27 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:39 . 2009-07-03 17:09 386048 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-13 23:39 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-07-29 10:00 . 2009-07-29 10:00 248832 c:\windows\Installer\c907f1.msi
+ 2009-07-29 10:01 . 2009-05-13 05:15 915456 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-07-29 10:01 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-07-29 10:01 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-07-29 10:01 . 2009-03-08 11:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-07-29 10:01 . 2009-03-08 11:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 246272 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-07-29 10:01 . 2009-03-08 11:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 385536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-07-29 10:01 . 2009-04-30 11:21 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2004-08-10 18:51 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-10 18:51 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
+ 2007-08-13 23:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2007-12-21 02:27 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2007-12-21 02:27 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2008-01-23 15:24 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 1207808 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-07-29 10:01 . 2009-05-13 05:15 5936128 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2007-08-13 23:54 . 2009-07-20 01:48 11067392 c:\windows\system32\ieframe.dll
+ 2008-01-23 15:24 . 2009-07-20 01:48 11067392 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-29 10:01 . 2009-04-30 21:22 11064832 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TrkWks"=2 (0x2)
"STacSV"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"dmadmin"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"BITS"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\grandMA onPC 5.831\\gmaOnPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 4:43 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 4:43 AM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/24/2008 7:46 PM 24652]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2009-08-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: mgm-mirage.com\secure03
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-05 03:10
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(904)
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(2924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-05 3:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 10:20
ComboFix2.txt 2009-07-26 08:09
Pre-Run: 23,157,436,416 bytes free
Post-Run: 23,676,493,824 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
252 --- E O F --- 2009-08-04 03:15
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:52 AM, on 8/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 2659 bytes
Bio-Hazard
2009-08-05, 15:45
Hello!
So what is the best virus program and spamware/malware program???I will give you sme recommendations once we have finished because i dotn want any the progrmas to interfer with the fixes.
Use of P2P (Person to Person) file sharing programs
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
Bittorrent and DNA
Please read HERE (http://forums.spybot.info/showpost.php?p=218503&postcount=4) the Safer Networking Forums policy on the use of P2P file sharing programs. Please remove it before we can continue any further. Post back when you have done it so we can continue the cleaning process.
NOTE: Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
ATF-Cleaner
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.
Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.
Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the Perform Full Scan option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
Optional Fix
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
I recommend that you remove the Viewpoint products; however, decide for yourself.
To uninstall the the Viewpoint components :
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add or Remove Programs.
In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
How to prevent it from being recreated every time you run the AOL software:
Open AOL
Go to Help on the toolbar
Select About AOL
Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.
Logs/Information to Post in Next Reply
Please post the following logs/Information in your reply:
Malwarebytes Antimalware log
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving
Bio-Hazard
2009-08-09, 16:32
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
Bio-Hazard
2009-08-10, 10:10
Topic reopened.
Bio-Hazard
2009-08-14, 17:57
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.