halfconcept
2009-09-12, 08:45
Windows xp service pack 2, dell latitude d600 1.4ghz pentium M with 512mb of ram.
So it all started when we left our laptop alone with a 12 year old kid who likes to play games online and god knows what else, when we got it back later that day it was running REAL slow....and then these insane audio ads came out of no where...random audio comercials for shampoo products and other random products.
so i started downloading all those programs i used to use....spybot, comodo and hijack this.....comodo scanned the whole drive and quaranteed some things, and then deleted em.
so now the audio ads are gone...and everything is okay except for when you turn on the comp you get a error running a dll "tapi.nfo " which i am sure is related to malware as other people have mentioned it with similar symptoms to mine...
heres the other really weird thing....SPYBOT will not open at all for some reason hasnt a single time since i dled it on this laptop. neither will the install file for highjackthis. the teatimer does function however it uses 100% cpu power until i shut it off.
heres the last suspect issue....if you open internet explorer (we never EVER use ie, only ff and sometimes chrome) although im sure the kid that causes all our problems did it in IE because her games require ie....well theres all these search results for random stuff like FHM GIRLS....scour.com search results for random things like "kitchen remodelling" "searchdiscoverweb" "primosearch" "xmlsearchgeek" all this random stuff....every single day in the history all these results ever since we got the laptop back...
so i know normally you guys like a highjackthis thing but i cant do that....any help would really greatly be appreciated because it seems im still infected here....this malware has turned my computer into a spammer for someone. and im tired of them making money off me and im tired of it not allowing me to use spybot ! which ive always loved using for many years.
thank you so much in advance and ill do anything i can to help resolve this issue.
also i cant open avast, althoug unlike hjt and spybot which give no error (they just dont open, i double click and i see the mouse turns into a timer but no program ever opens.) for some reason avast tells me Windows cannot open the specified device path or file you may not have appropriate permissions to access this file.
well for one thing there is only one user for this laptop, and it has admin privls so i presume this is the malware in action
I also have a gamer file here, hopefully it will help:
GMER 1.0.15.15077 [0lttzu57.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-12 20:39:39
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
Code 82CFC788 ZwEnumerateKey
Code 82CFCD80 ZwFlushInstructionCache
Code 82CFC6AE IofCallDriver
Code 82CFC5D6 IofCompleteRequest
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86e5c027.sys
Device \FileSystem\Ntfs \Ntfs 82FDE1F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \Fat 821AF1F8
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15077 - http://www.gmer.net
Autostart scan 2009-09-12 20:51:06
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
@ShellExplorer.exe rundll32.exe tapi.nfo beforeglav = Explorer.exe rundll32.exe tapi.nfo beforeglav
Windows@AppInit_DLLs = C:\WINDOWS\system32\guard32.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswupdsv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
avast! antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
cmdagent@ = "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
SCardSvr@ = %SystemRoot%\System32\SCardSvr.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
wltrysvc@ = %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe
wuauserv@ = %fystemroot%\system32\svchost.exe -k netsvcs /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Run@MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler@{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} = C:\WINDOWS\system32\tajf83ikdmf.dll /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Protection System extension*/C:\Program Files\Protection System\CoreExt.dll /*file not found*/ = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} /*Comodo Antivirus*/C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
comodo antivirus@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
simpleshlext@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
comodo antivirus@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
simpleshlext@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{bf56a325-23f2-42ad-f4e4-00aac39caa53} = C:\WINDOWS\system32\tajf83ikdmf.dll /*file not found*/
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\ss3dfo.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://att.yahoo.com/ = http://att.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll
---- EOF - GMER 1.0.15 ----
=====================================
Edit: Merged 3 posts as per forum FAQ
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
=====================================
for some reason comodo seems to work on the laptop...i ran its anti virus thing and came up with these results
Heur.Suspicious@49358707 C:\Program Files\QuickTime\qttask.exe
Heur.Suspicious@49355571 C:\WINDOWS\system32\QuickTime\QTPluginInstaller.exe
TrojWare.Win32.TrojanSpy.Zbot.Gen@48359664 C:\WINDOWS\Temp\6.tmp
i went ahead and told it to delete those....but so sadly...spybot will not run ::weep::
So it all started when we left our laptop alone with a 12 year old kid who likes to play games online and god knows what else, when we got it back later that day it was running REAL slow....and then these insane audio ads came out of no where...random audio comercials for shampoo products and other random products.
so i started downloading all those programs i used to use....spybot, comodo and hijack this.....comodo scanned the whole drive and quaranteed some things, and then deleted em.
so now the audio ads are gone...and everything is okay except for when you turn on the comp you get a error running a dll "tapi.nfo " which i am sure is related to malware as other people have mentioned it with similar symptoms to mine...
heres the other really weird thing....SPYBOT will not open at all for some reason hasnt a single time since i dled it on this laptop. neither will the install file for highjackthis. the teatimer does function however it uses 100% cpu power until i shut it off.
heres the last suspect issue....if you open internet explorer (we never EVER use ie, only ff and sometimes chrome) although im sure the kid that causes all our problems did it in IE because her games require ie....well theres all these search results for random stuff like FHM GIRLS....scour.com search results for random things like "kitchen remodelling" "searchdiscoverweb" "primosearch" "xmlsearchgeek" all this random stuff....every single day in the history all these results ever since we got the laptop back...
so i know normally you guys like a highjackthis thing but i cant do that....any help would really greatly be appreciated because it seems im still infected here....this malware has turned my computer into a spammer for someone. and im tired of them making money off me and im tired of it not allowing me to use spybot ! which ive always loved using for many years.
thank you so much in advance and ill do anything i can to help resolve this issue.
also i cant open avast, althoug unlike hjt and spybot which give no error (they just dont open, i double click and i see the mouse turns into a timer but no program ever opens.) for some reason avast tells me Windows cannot open the specified device path or file you may not have appropriate permissions to access this file.
well for one thing there is only one user for this laptop, and it has admin privls so i presume this is the malware in action
I also have a gamer file here, hopefully it will help:
GMER 1.0.15.15077 [0lttzu57.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-12 20:39:39
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
Code 82CFC788 ZwEnumerateKey
Code 82CFCD80 ZwFlushInstructionCache
Code 82CFC6AE IofCallDriver
Code 82CFC5D6 IofCompleteRequest
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 86e5c027.sys
Device \FileSystem\Ntfs \Ntfs 82FDE1F8
AttachedDevice \FileSystem\Ntfs \Ntfs aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
Device \FileSystem\Fastfat \Fat 821AF1F8
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswmon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\Ip aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\Udp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp 86e5c027.sys
AttachedDevice \Driver\Tcpip \Device\RawIp aswtdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- EOF - GMER 1.0.15 ----
GMER 1.0.15.15077 - http://www.gmer.net
Autostart scan 2009-09-12 20:51:06
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
@ShellExplorer.exe rundll32.exe tapi.nfo beforeglav = Explorer.exe rundll32.exe tapi.nfo beforeglav
Windows@AppInit_DLLs = C:\WINDOWS\system32\guard32.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aswupdsv@ = "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
avast! antivirus@ = "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
cmdagent@ = "C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe"
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
SCardSvr@ = %SystemRoot%\System32\SCardSvr.exe
UMWdf@ = C:\WINDOWS\system32\wdfmgr.exe
wltrysvc@ = %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe
wuauserv@ = %fystemroot%\system32\svchost.exe -k netsvcs /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Run@MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler@{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} = C:\WINDOWS\system32\tajf83ikdmf.dll /*file not found*/
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Protection System extension*/C:\Program Files\Protection System\CoreExt.dll /*file not found*/ = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} /*Comodo Antivirus*/C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
@{472083B0-C522-11CF-8763-00608CC02F24} /*avast*/C:\Program Files\Alwil Software\Avast4\ashShell.dll = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
comodo antivirus@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
simpleshlext@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
avast@{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
comodo antivirus@{4255A182-CAD9-4214-A19B-7BA7FB633BBD} = C:\Program Files\COMODO\COMODO Internet Security\cavshell.dll
simpleshlext@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\Protection System\CoreExt.dll /*file not found*/
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects@{bf56a325-23f2-42ad-f4e4-00aac39caa53} = C:\WINDOWS\system32\tajf83ikdmf.dll /*file not found*/
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\ss3dfo.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://att.yahoo.com/ = http://att.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll
---- EOF - GMER 1.0.15 ----
=====================================
Edit: Merged 3 posts as per forum FAQ
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
=====================================
for some reason comodo seems to work on the laptop...i ran its anti virus thing and came up with these results
Heur.Suspicious@49358707 C:\Program Files\QuickTime\qttask.exe
Heur.Suspicious@49355571 C:\WINDOWS\system32\QuickTime\QTPluginInstaller.exe
TrojWare.Win32.TrojanSpy.Zbot.Gen@48359664 C:\WINDOWS\Temp\6.tmp
i went ahead and told it to delete those....but so sadly...spybot will not run ::weep::