PDA

View Full Version : All anti spyware sites blocked and unable to update



Doishy
2009-09-07, 19:41
Basically I am unable to access any websites like safer-networking.org zonealarm, avg etc. I am also unable to update any of my anti virus programs inc spybot which all say that they are unable to connect to the servers they update from.
It's not a firewall problem, and It's being going on for awhile.
Also today I finally managed to get the latest version of spybot on me comp so I could do a scan but it now BSOD's on me everytime I run a scan which means it hinders alot.
Im running windows xp home on service pack 2.
Any help on what it may be?>Many thanks if yes =D
And heres the hijack log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:36, on 07/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Xerox One Touch\OneTouchMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Jamie\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" /random
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200432799223
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200432958566
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47837275-523E-4749-A545-496190B08148}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{868E2A42-8D40-4B0D-9A4F-E4C284615B8B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Jamie\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9555 bytes

Shaba
2009-09-08, 19:51
Hi Doishy

Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..

Doishy
2009-09-09, 11:50
Have followed your instructions and is running now, am using someone else's computer to post this. Once done will send the log as per instructed and thankyou very much for taking my case up.

Shaba
2009-09-09, 17:46
Thanks for update :)

Doishy
2009-09-09, 19:05
Well have run the scan 3 times, first two in normal mode, the last in safe mode. As the scans took a long time had left them running with all comps turn of/power save features disabled but for both non safe mode times the computer had logged itself off or restarted when I returned to it.

On re-doing in safe mode watched the scan happen (with a good book to read) and before I presume it completed came up with an error message stating that 'Rootkit activity had changed' [not accurate wording]

Here is the log for the scan that ended with the message box:


GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-09 16:56:11
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwClose [0xF747EC58]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF7472C70]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF74734FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF747ED50]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwOpenKey [0xF747EBD4]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF747351E]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xF747ECA6]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF747E4F0]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647C10]

INT 0x62 ? 8A196BF8
INT 0x63 ? 8A196BF8
INT 0x73 ? 8A196BF8
INT 0x73 ? 8A196BF8
INT 0x73 ? 89DCAF00
INT 0x73 ? 8A196BF8
INT 0x83 ? 8A196BF8
INT 0x83 ? 8A196BF8
INT 0x83 ? 89DCAF00
INT 0x83 ? 8A196BF8

Code 89C69168 ZwFlushInstructionCache
Code BAB68E99 pIofCallDriver
Code BAB69A97 pIofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwFlushInstructionCache 80585F1C 5 Bytes JMP 89C6916C
? spns.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BACFC62C 5 Bytes JMP 89DCA4E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A1985E0
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74D76D0] spns.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74DB708] spns.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89DCA5E0

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A2071F8
Device \FileSystem\Udfs \UdfsCdRom 89C361F8
Device \FileSystem\Udfs \UdfsDisk 89C361F8
Device \Driver\usbohci \Device\USBPDO-0 89DC9500
Device \Driver\usbehci \Device\USBPDO-1 89DC61F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A2091F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A2091F8
Device \Driver\Cdrom \Device\CdRom0 89DC77C0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort0 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort1 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort2 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort3 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort4 89DC7D20
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-19 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort5 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort6 89DC7D20
Device \Driver\atapi \Device\Ide\IdePort7 89DC7D20
Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-24 89DC7D20
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 89DC7D20
Device \Driver\Cdrom \Device\CdRom1 89DC77C0
Device \Driver\Cdrom \Device\CdRom2 89DC77C0
Device \Driver\Cdrom \Device\CdRom3 89DC77C0
Device \Driver\Cdrom \Device\CdRom4 89DC77C0
Device \Driver\Cdrom \Device\CdRom5 89DC77C0
Device \Driver\Cdrom \Device\CdRom6 89DC77C0
Device \Driver\usbohci \Device\USBFDO-0 89DC9500
Device \Driver\usbehci \Device\USBFDO-1 89DC61F8
Device \FileSystem\Npfs \Device\NamedPipe 89C690C0
Device \Driver\Ftdisk \Device\FtControl 8A2091F8
Device \FileSystem\Msfs \Device\Mailslot 89DC7F28
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port8Path0Target4Lun0 89D449C0
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port8Path0Target2Lun0 89D449C0
Device \Driver\Vax347s \Device\Scsi\Vax347s1 89D449C0
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port8Path0Target3Lun0 89D449C0
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port8Path0Target1Lun0 89D449C0
Device \Driver\Vax347s \Device\Scsi\Vax347s1Port8Path0Target0Lun0 89D449C0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89DAFF60
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89DAFF60
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89DAFF60
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89DAFF60
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89DAFF60
Device \FileSystem\Cdfs \Cdfs 89C391F8

---- Modules - GMER 1.0.15 ----

Module _________ BAFE8000-BB000000 (98304 bytes)
Module \systemroot\system32\drivers\msqpdxdtmeyfyd.sys (*** hidden *** ) BAB67000-BAB91000 (172032 bytes)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\msqpdxdtmeyfyd.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxdtmeyfyd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxdtmeyfyd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxshhweyuf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x4A 0xD6 0xBC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ljej40 0xB6 0x88 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ljej40 0xBA 0x88 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej40 0xBA 0x89 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej41 0x19 0x89 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej42 0x19 0x89 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej43 0x19 0x89 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej44 0x19 0x89 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43@ljej40 0xC8 0x88 0xF1 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg44@ljej40 0xC8 0x88 0xF1 0xE1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxdtmeyfyd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxdtmeyfyd.sys
Reg HKLM\SYSTEM\ControlSet002\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxshhweyuf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x4A 0xD6 0xBC ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- EOF - GMER 1.0.15 ----





Once again thanks for the help

Shaba
2009-09-09, 19:09
Yes there is rootkit.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Doishy
2009-09-09, 19:31
Ok will follow instructions now

Doishy
2009-09-09, 21:24
Ok combofix ran fine and followed all instructions of the links sent. The only thing I'm unsure of is the fact windows did a consistancy check after the scan completed. Just to see if this is normal or not.


Here is the combofix log:



ComboFix 09-09-08.09 - James Johns 09/09/2009 18:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.3071.2630 [GMT 1:00]
Running from: c:\documents and settings\James Johns\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James Johns\Local Settings\Temporary Internet Files\fbk.sts
c:\recycler\Program Files
c:\windows\Installer\3e1b4f.msi
c:\windows\system32\Data
c:\windows\system32\drivers\msqpdxbawkxedd.sys
c:\windows\system32\drivers\msqpdxboylrgkn.sys
c:\windows\system32\drivers\msqpdxbrqoxjik.sys
c:\windows\system32\drivers\msqpdxdtmeyfyd.sys
c:\windows\system32\drivers\msqpdxqjduebxu.sys
c:\windows\system32\ltfil13n.dll
c:\windows\system32\msqpdxshhweyuf.dll
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msqpdxserv.sys
-------\Legacy_msqpdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-07 16:31 . 2009-09-07 16:31 -------- d-----w- c:\program files\ERUNT
2009-09-06 19:38 . 2009-09-06 20:17 -------- d-----w- c:\program files\Phantasy Star Online Blue Burst
2009-09-04 23:08 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-04 23:08 . 2009-09-04 23:08 -------- d-----w- c:\program files\Panda Security
2009-08-29 09:03 . 2009-08-29 09:03 -------- d-----w- c:\documents and settings\James Johns\Local Settings\Application Data\assembly
2009-08-29 09:02 . 2009-08-29 19:57 -------- d-----w- c:\program files\NCSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 17:53 . 2008-01-15 20:55 60852256 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-09 17:20 . 2008-01-15 20:55 715112 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-08 18:52 . 2008-05-12 15:43 -------- d-----w- c:\documents and settings\James Johns\Application Data\foobar2000
2009-09-08 16:43 . 2008-01-17 18:12 -------- d-----w- c:\documents and settings\James Johns\Application Data\uTorrent
2009-09-07 14:00 . 2009-01-17 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 22:33 . 2008-03-29 16:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 23:15 . 2008-06-19 10:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-02 23:15 . 2008-06-19 10:17 107272 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-02 23:15 . 2008-06-19 10:17 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-02 23:15 . 2008-01-15 20:49 27656 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-02 23:15 . 2008-06-19 10:17 325128 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-31 13:13 . 2008-02-16 09:24 -------- d-----w- c:\program files\Warcraft III
2009-08-29 09:02 . 2008-01-15 19:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-29 09:01 . 2009-03-15 14:26 -------- d-----w- c:\documents and settings\James Johns\Application Data\GetRightToGo
2009-08-15 16:19 . 2008-04-25 18:06 139072 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-15 16:19 . 2008-04-25 18:06 189672 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-12 17:53 . 2008-02-09 19:45 -------- d-----w- c:\program files\DOSBox-0.72
2009-08-11 18:23 . 2008-07-20 16:31 64 ----a-w- c:\windows\popcinfot.dat
2009-08-07 15:25 . 2009-08-07 15:15 -------- d-----w- c:\program files\Heroes of Newerth
2009-07-13 21:41 . 2009-01-17 14:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-13 21:07 . 2008-09-05 14:32 -------- d-----w- c:\documents and settings\James Johns\Application Data\Hamachi
2009-07-13 18:30 . 2009-04-12 07:59 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 18:30 . 2009-04-12 07:59 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 18:30 . 2009-04-12 07:59 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-06-25 22:00 . 2009-06-25 22:00 139152 ----a-w- c:\documents and settings\James Johns\Application Data\PnkBstrK.sys
2009-06-25 21:58 . 2009-06-25 21:58 794408 ----a-w- c:\windows\system32\pbsvc.exe
2009-06-25 21:58 . 2008-04-25 18:06 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2008-02-10 19:14 . 2008-02-10 19:15 13625856 ----a-w- c:\program files\veoh.msi
2008-02-10 19:14 . 2008-02-10 19:15 6129 ----a-w- c:\program files\0x0409.ini
2008-02-10 19:14 . 2008-02-10 19:15 2059 ----a-w- c:\program files\Setup.INI
2008-02-10 19:14 . 2008-02-10 19:15 128625 ----a-w- c:\program files\setup.isn
2008-02-10 19:12 . 2008-02-10 20:54 34816 ----a-w- c:\program files\7A0F285A61A8425A9B09AB79F4A00F02.db
2008-12-19 22:28 . 2008-01-22 18:54 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 22:28 . 2008-01-22 18:54 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 22:28 . 2008-01-22 18:54 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 22:28 . 2008-01-22 18:54 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 22:28 . 2008-01-22 18:54 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\XpertVision\TBPanel.exe" [2007-10-02 2165256]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-02 1601304]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"Logon Loader Random"="c:\program files\Logon Loader\LogonLoader.exe" [2005-03-02 204800]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-09-23 36864]
"OneTouch Monitor"="c:\program files\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2005-05-03 64512]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\James Johns\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2008-1-22 274432]
REALTEK RTL8185 Wireless LAN Utility.lnk - c:\program files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe [2008-1-15 770048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\Resources\graywitch\logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-02 23:15 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\multiwinia\\multiwinia.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Jamie\\Program Files\\steamapps\\common\\left 4 dead\\left4dead.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/04/2009 20:34 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [05/09/2009 00:08 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2008 11:17 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2008 11:17 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/07/2008 10:31 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 10:31 298264]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [15/01/2008 20:10 38144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 951632]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);c:\windows\system32\drivers\evserial.sys [06/09/2008 17:02 52944]
S3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);c:\windows\system32\drivers\evsbc.sys [06/09/2008 17:02 26448]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {47837275-523E-4749-A545-496190B08148} = 208.67.220.220,208.67.222.222
TCP: {868E2A42-8D40-4B0D-9A4F-E4C284615B8B} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\James Johns\Application Data\Mozilla\Firefox\Profiles\0hocuc0f.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
AddRemove-Little Fighter 2.5 - - c:\program files\Little Fighter 2.5 -



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 18:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-1972579041-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:af,3f,14,33,35,8d,60,44,2d,54,a4,98,03,c5,60,a6,1a,18,2a,6b,26,d9,80,
d8,ec,bb,43,17,1a,5d,d3,76,82,90,0a,a6,12,0d,83,0f,70,48,f5,ce,14,72,ba,b7,\
"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

[HKEY_USERS\S-1-5-21-606747145-1972579041-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:9f,0e,f7,71,a7,99,b4,a4,ff,80,b4,11,00,bb,31,78,96,09,00,16,56,
e2,b7,67,4d,ea,70,6b,95,cf,d7,fd,f8,a8,26,14,40,a1,be,60,1b,6a,0d,1e,d0,c0,\
"rkeysecu"=hex:57,94,b2,4d,4c,cd,fe,bf,32,a3,20,a6,ce,19,23,b7

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3524)
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\jamie\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-09-09 19:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 18:20

Pre-Run: 207,607,140,352 bytes free
Post-Run: 209,542,832,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

251 --- E O F --- 2008-11-12 22:11




and here is the hijackthis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:25, on 09/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Jamie\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [Logon Loader Random] "C:\Program Files\Logon Loader\LogonLoader.exe" /random
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200432799223
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200432958566
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47837275-523E-4749-A545-496190B08148}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{868E2A42-8D40-4B0D-9A4F-E4C284615B8B}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Jamie\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9070 bytes

Shaba
2009-09-09, 21:33
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Doishy
2009-09-09, 21:54
Here is the list as saved:



7-Zip 4.57
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
Adobe Shockwave Player
Apple Software Update
Arcanum
Arx Fatalis
ASIO4ALL
Audacity 1.2.6
Avencast™
AVG Free 8.0
Battlefield 2(TM)
Battlefield Heroes
BioShock
BootSkin
CCleaner (remove only)
Command & Conquer Generals
Command & Conquer Tiberian Sun
Command and ConquerTM Generals Zero Hour
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Corel Graphics Suite 11
Counter-Strike: Source
Creative MediaSource 5
Creative Software AutoUpdate
Dark Messiah Might and Magic Single Player
Darwinia
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dungeon Keeper Gold
Emperor: Rise of the Middle Kingdom 1.0.1.0
foobar2000 v0.9.5.2
Fraps (remove only)
GCFScape 1.6.6
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Hamachi 1.0.3.0
Heroes of Newerth
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Icewind Dale II
ICQ6.5
ID3-TagIT 3
Imperium Galactica 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LADSPA_plugins-win-0.4.15
Lame ACM MP3 Codec
Launchy 2.0
Left 4 Dead
LEGO® Indiana Jones™
Little Fighter 2 1.9c
Little Fighter 2.5 - v2.0
Logon Loader 3.0
Microangelo Toolset 6
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Age of Empires Gold
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Speech SDK 5.1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Morrowind
Mount&Blade
Mozilla Firefox (2.0.0.20)
Mp3tag v2.39
MSXML 4.0 SP2 (KB936181)
MSXML 6 Service Pack 2 (KB954459)
Multiwinia Demo
NCsoft Launcher
Nero 7 Essentials
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Oblivion
Panda ActiveScan 2.0
PaperPort 8.0 SE
Peggle (remove only)
Peggle Extreme
PixiePack Codec Pack
Plants Vs Zombies
Portal
Project Reality 0.75
Project Reality 0.75 Core
Project Reality 0.75 Levels
PunkBuster Services
QuickTime
Random Dice Roller
RapeLay (remove only)
RealPlayer
REALTEK RTL8185 Wireless LAN Driver and Utility
Red Alert Windows 95
Sandbox
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SMPlayer 0.6.7
Sony Sound Forge Audio Studio 9.0
Sony Vegas Pro 8.0
Sound Blaster Audigy
Source Dedicated Server
Source SDK
Source SDK Base - Orange Box
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Star Wars Jedi Knight Jedi Academy
Steam
Sven Co-op 3.0
Synergy
Team Fortress 2
Team Fortress 2 Dedicated Server
TES Construction Set
TrackMania Nations Forever
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Vampire - The Masquerade Bloodlines
VDMSound
VideoLAN VLC media player 0.8.6e
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft
Xerox One Touch
XpertVision 5.5
XviD MPEG-4 Video Codec
Zombie Panic! Source
ZoneAlarm
ZoneAlarm Spy Blocker

Shaba
2009-09-09, 22:06
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Uninstall also this:

ZoneAlarm Spy Blocker

Please run a new uninstall list scan when finished and post the log back here.

Doishy
2009-09-09, 22:18
ok new list:



2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.57
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.6
Adobe Shockwave Player
Apple Software Update
Arcanum
Arx Fatalis
ASIO4ALL
Audacity 1.2.6
Avencast™
AVG Free 8.0
Battlefield 2(TM)
Battlefield Heroes
BioShock
BootSkin
CCleaner (remove only)
Command & Conquer Generals
Command & Conquer Tiberian Sun
Command and ConquerTM Generals Zero Hour
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Corel Graphics Suite 11
Counter-Strike: Source
Creative MediaSource 5
Creative Software AutoUpdate
Dark Messiah Might and Magic Single Player
Darwinia
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dungeon Keeper Gold
Emperor: Rise of the Middle Kingdom 1.0.1.0
foobar2000 v0.9.5.2
Fraps (remove only)
GCFScape 1.6.6
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Hamachi 1.0.3.0
Heroes of Newerth
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Icewind Dale II
ICQ6.5
ID3-TagIT 3
Imperium Galactica 2
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LADSPA_plugins-win-0.4.15
Lame ACM MP3 Codec
Launchy 2.0
Left 4 Dead
LEGO® Indiana Jones™
Little Fighter 2 1.9c
Little Fighter 2.5 - v2.0
Logon Loader 3.0
Microangelo Toolset 6
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Age of Empires Gold
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Speech SDK 5.1
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Morrowind
Mount&Blade
Mozilla Firefox (2.0.0.20)
Mp3tag v2.39
MSXML 4.0 SP2 (KB936181)
MSXML 6 Service Pack 2 (KB954459)
Multiwinia Demo
NCsoft Launcher
Nero 7 Essentials
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.09.04
Oblivion
Panda ActiveScan 2.0
PaperPort 8.0 SE
Peggle (remove only)
Peggle Extreme
PixiePack Codec Pack
Plants Vs Zombies
Portal
Project Reality 0.75
Project Reality 0.75 Core
Project Reality 0.75 Levels
PunkBuster Services
QuickTime
Random Dice Roller
RealPlayer
REALTEK RTL8185 Wireless LAN Driver and Utility
Red Alert Windows 95
Sandbox
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SMPlayer 0.6.7
Sony Sound Forge Audio Studio 9.0
Sony Vegas Pro 8.0
Sound Blaster Audigy
Source Dedicated Server
Source SDK
Source SDK Base - Orange Box
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Star Wars Jedi Knight Jedi Academy
Steam
Sven Co-op 3.0
Synergy
Team Fortress 2
Team Fortress 2 Dedicated Server
TES Construction Set
TrackMania Nations Forever
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Vampire - The Masquerade Bloodlines
VDMSound
VideoLAN VLC media player 0.8.6e
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft
Xerox One Touch
XpertVision 5.5
XviD MPEG-4 Video Codec
Zombie Panic! Source
ZoneAlarm

Doishy
2009-09-09, 22:26
And also on trying to access the spybot site am now able to so thanks, at least that problem is solved. But if you are still looking at logs im guessing things need doing still so we shall keep at it but thanks for fixing the main issue.

Shaba
2009-09-09, 22:40
Good :)


Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


Folder::
c:\documents and settings\James Johns\Application Data\uTorrent
c:\Program Files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Doishy
2009-09-09, 23:05
Ok, and on another positive note have updated all anti virus plus windows which it seems was also blocked from updating and spybot is now working, seems and older version was conflicting with the current one in some way so am doing a scan now and immunizing.

Will sort the log out and registry stuff after finishes.

And many thanks once more, you've been superb at helping.:euro:

Shaba
2009-09-10, 07:13
No hurry, take your time :)

Doishy
2009-09-11, 20:02
Well been a bit busy last few days so havent been able to use comp but when did to redo scan it started consistancy checking the c: drive during start up and has done so each time I have turned on the computer, any reason for this, (I let the first time run and all it seemed to do is reset ie as default browser which i changed back) and I have skipped the checks since then.

Any ideas on what this is how to stop it? As I would rather nmot do the fix rescan / restart as suggested til it stops asking :/

Shaba
2009-09-11, 20:08
Do you mean that chkdsk runs upon boot?

Doishy
2009-09-13, 21:08
I think so but now unfortunately my windows is unable to boot. (Its all gone wrong). We have tried booting into safe mode and with recovery console but neither work. So we have removed hard disk and have tried a Usb Ide on it which detects it but cannot retrieve the files.
Have run dos check disk /v and gives indications of deleting corrupted attribute
files and deleting corrupted orphan files. We will be attempting a fix (/F) on it but any ideas? I know this isn't a directly malware related thing (hopefully) but any ideas nonetheless. If no then just slash the thread and thanks for your prior help.



The Hard drive is a seagate barracuda 500gb, 7200rpm and has been working since purchase in jan 2007.

Shaba
2009-09-13, 21:35
Then I think that it might be worth trying to save data using live linux.

Do you want instructions for that?

Doishy
2009-09-14, 14:25
AHAH! Its working again, and im backing all data up on ext hard drive and using norton ghost to save computers image. Linux wise I've got a friend who could probably help me with that.
And I believe thats all problems gone
:D
Thanks again (Do I thank too much :S)

Shaba
2009-09-14, 17:47
Please then continue with my previous instructions :)

Doishy
2009-09-14, 23:27
The linux ones, chdisk ones or all the way back to the combofix, text doc insert etc one?

Shaba
2009-09-15, 07:09
Combofix instructions, please :)

Doishy
2009-09-15, 17:23
Is there anyway to use torrent programs (as its how garrysmod allow you to download addons these days) without this risk of infection through them, like limiters or something or does it have to be the full gragh die program thing?

Shaba
2009-09-15, 17:43
I don't comment anything about p2p program usage as using them is against forum rules.

If you like to continue, please proceed with combofix instructions.

If not, let me know and I will close this :)

Doishy
2009-09-15, 21:03
No thanks so close the thread up, and I will heed said warnings. Thanks for the final time on all the help :D And keep up the good work saving the poor souls of the online world.

Doishy
2009-09-16, 00:19
Sorry that first bit sounded a little rude :lip: