Major Redirect problem/Won't open spybot

**Mathers** · 2009-07-24, 13:29

Hello,

So i have a major problem with my computer. It redirects me away from most adware and spybot search pages. Launchs a browser window with advertisments and has played a few audio files in the background of my computer.

I can't open Spybot.

It says "Can't Connect to Server" with AdAware.

CCleaner will run and i have deleted some things with this.

Spyware Terminator will run and delete things, but doesn't help.

I have tried to download Malwarebyes antimalware but it freezes during install. I have even tried doing it in "SAFE MODE" and saving it under a diffferent exe name, but that doesn't help.

Fix Vundo- runs but doesn't help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:38 AM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=60347
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 3432 bytes

Please help. Mathers

**Bio-Hazard** · 2009-07-24, 15:35

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 4 Days Will Result In Your Topic Being Closed!!

STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

Download DDS and save it to your desktop from:

Link 1
Link 2

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

STEP 2

RootRepeal - Rootkit Detector

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Next Reply

Please reply with:

DDS.txt
Attach.txt
RootRepeal.txt

**Mathers** · 2009-07-25, 09:25

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2008 11:20:25 AM
System Uptime: 7/25/2009 12:09:52 AM (0 hours ago)

Motherboard: Dell Inc. | | 0TT347
Processor: Intel(R) Core(TM)2 Duo CPU T5470 @ 1.60GHz | Microprocessor | 1180/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 25.25 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1490 Dual Band WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1490 Dual Band WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Service: BCM43XX

==== System Restore Points ===================

RP1: 7/22/2009 1:10:10 AM - System Checkpoint
RP2: 7/22/2009 1:10:11 AM - System Checkpoint
RP3: 7/22/2009 1:10:11 AM - Software Distribution Service 3.0
RP4: 7/22/2009 1:10:11 AM - System Checkpoint
RP5: 7/22/2009 1:10:11 AM - System Checkpoint
RP6: 7/22/2009 1:10:11 AM - System Checkpoint
RP7: 7/22/2009 1:10:12 AM - System Checkpoint
RP8: 7/22/2009 1:10:12 AM - System Checkpoint
RP9: 7/22/2009 1:10:12 AM - System Checkpoint
RP10: 7/22/2009 1:10:12 AM - System Checkpoint
RP11: 7/22/2009 1:10:13 AM - System Checkpoint
RP12: 7/22/2009 1:10:13 AM - System Checkpoint
RP13: 7/22/2009 1:10:13 AM - System Checkpoint
RP14: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP15: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP16: 7/22/2009 1:10:15 AM - System Checkpoint
RP17: 7/22/2009 1:10:15 AM - Software Distribution Service 3.0
RP18: 7/22/2009 1:10:15 AM - System Checkpoint
RP19: 7/22/2009 1:10:16 AM - System Checkpoint
RP20: 7/22/2009 1:10:16 AM - System Checkpoint
RP21: 7/22/2009 1:10:17 AM - System Checkpoint
RP22: 7/22/2009 1:10:17 AM - System Checkpoint
RP23: 7/22/2009 1:10:18 AM - System Checkpoint
RP24: 7/22/2009 1:10:18 AM - System Checkpoint
RP25: 7/22/2009 1:10:19 AM - System Checkpoint
RP26: 7/22/2009 1:10:19 AM - System Checkpoint
RP27: 7/22/2009 1:10:19 AM - System Checkpoint
RP28: 7/22/2009 1:10:20 AM - System Checkpoint
RP29: 7/22/2009 1:10:20 AM - System Checkpoint
RP30: 7/22/2009 1:10:20 AM - System Checkpoint
RP31: 7/22/2009 1:10:21 AM - Software Distribution Service 3.0
RP32: 7/22/2009 1:10:21 AM - System Checkpoint
RP33: 7/22/2009 1:10:22 AM - System Checkpoint
RP34: 7/22/2009 1:10:22 AM - System Checkpoint

==== Installed Programs ======================

==== Event Viewer Messages From Past Week ========

==== End Of File ===========================

And

DDS (Ver_09-06-26.01) - NTFSx86
Run by Matthew Brashear4 at 0:19:54.76 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1338 [GMT -7:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090724-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew Brashear4\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60347
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {02F7A7EB-89F8-47FF-A75C-52C1060EC144} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-22 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-23 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-24 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-29 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-24 138680]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-7-23 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-7-23 826600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-7-23 28560]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-24 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-24 352920]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-29 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-29 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-24 24652]

=============== Created Last 30 ================

2009-07-24 04:22 <DIR> --d----- c:\program files\Trend Micro
2009-07-24 03:18 <DIR> --d----- c:\program files\Safer Networking
2009-07-23 05:50 <DIR> --d----- c:\docume~1\matthe~1\applic~1\GetRightToGo
2009-07-23 05:10 <DIR> --d----- c:\program files\WinClamAVShield
2009-07-23 05:07 <DIR> --d----- c:\program files\Crawler
2009-07-23 05:07 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\program files\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-07-23 03:59 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 03:14 <DIR> --d----- c:\docume~1\matthe~1\applic~1\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-07-23 03:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-22 06:51 <DIR> --d----- c:\program files\Panda Security
2009-07-22 04:24 <DIR> --d----- c:\program files\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-22 03:44 <DIR> --d----- c:\program files\common files\iS3
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-22 03:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 03:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2008-12-26 13:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122620081227\index.dat

============= FINISH: 0:21:42.00 ===============

**Mathers** · 2009-07-25, 09:32

Ok, i had a problem getting this to complete. It says "could not read system registry. Contact the author"

But here is what it came up with.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/25 00:28
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C770000 Size: 778240 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBA780000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5F74000 Size: 49152 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: winlogon.exe (PID: 752) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: winlogon.exe (PID: 752) Address: 0x00980000 Address: 49152

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: services.exe (PID: 800) Address: 0x00a80000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: services.exe (PID: 800) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: lsass.exe (PID: 812) Address: 0x00b10000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: lsass.exe (PID: 812) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 988) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UACbirtlropgx.dll]
Process: svchost.exe (PID: 988) Address: 0x00bc0000 Address: 73728

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00e60000 Address: 45056

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x03100000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x03460000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1080) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1080) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1080) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1080) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x00bd0000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1224) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1224) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1224) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1320) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1320) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1320) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1320) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1408) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1408) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1408) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1408) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x00e30000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x00d30000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x01030000 Address: 49152

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x00e30000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashServ.exe (PID: 1700) Address: 0x00e40000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashServ.exe (PID: 1700) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00d50000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00e00000 Address: 49152

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x10000000 Address: 77824

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashDisp.exe (PID: 356) Address: 0x00e40000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashDisp.exe (PID: 356) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ctfmon.exe (PID: 372) Address: 0x00d90000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ctfmon.exe (PID: 372) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x00d80000 Address: 49152

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1740) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1740) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1740) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1740) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1884) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1884) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1884) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1884) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2008) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2008) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2008) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2008) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x01160000 Address: 49152

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2804) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2804) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2804) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2804) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x00c20000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 3028) Address: 0x00770000 Address: 77824

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 3028) Address: 0x00a90000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 3028) Address: 0x00b20000 Address: 49152

Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 3028) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: alg.exe (PID: 2172) Address: 0x00b30000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: alg.exe (PID: 2172) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3516) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3572) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x01070000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x10000000 Address: 45056

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3500) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00b70000 Address: 45056

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00fd0000 Address: 49152

Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x10000000 Address: 217088

Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x00fc0000 Address: 49152

Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x10000000 Address: 45056

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89d16020 Address: 3223

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89d114b8 Address: 2889

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89d095c8 Address: 127

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89d00698 Address: 2409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89e22b20 Address: 1248

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e27c20 Address: 139

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d76870 Address: 1937

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89eba180 Address: 293

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89e8b940 Address: 1729

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ef8358 Address: 3240

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e8d2d8 Address: 3369

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e8b200 Address: 719

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a843698 Address: 2408

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89eec170 Address: 3728

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec9e70 Address: 401

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e67558 Address: 2728

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e609e8 Address: 907

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89edf0f0 Address: 2735

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89f13190 Address: 551

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a84afa8 Address: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e7f600 Address: 2560

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89ee6fa8 Address: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a847178 Address: 3720

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e93220 Address: 3553

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89e87580 Address: 1337

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89b01098 Address: 958

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89ed2fa8 Address: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89f02348 Address: 1706

==EOF==

**Bio-Hazard** · 2009-07-25, 13:55

Download and Run ComboFix

ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3
Double click on Combo-Fix.exe and follow the prompts.
When finished, it will produce a report for you (C:\ComboFix.txt )
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

Next Reply

Please reply with:
ComboFix log (found at C:\Combofix.txt)
New HijackThis log

**Mathers** · 2009-07-26, 10:17

Thank you so much... by the way.

ComboFix 09-07-25.04 - Matthew Brashear4 07/26/2009 0:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1428 [GMT -7:00]
Running from: c:\documents and settings\Matthew Brashear4\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matthew Brashear4\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Tools AntiVirus.lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\9446.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACavncnkdabu.sys
c:\windows\system32\net.net
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACbaoylvdkmr.dat
c:\windows\system32\UACbirtlropgx.dll
c:\windows\system32\UACessxmqfulh.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmkgmmtowdl.db
c:\windows\system32\UACsnoeypbqbp.dll
c:\windows\system32\UACtlaromxdpx.dll
c:\windows\system32\UACyvyyewqxvn.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-24 11:43 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 11:43 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 11:43 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 11:43 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 11:43 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 11:43 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 11:43 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 11:43 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 11:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 11:43 . 2009-07-24 11:43 -------- d-----w- c:\program files\Alwil Software
2009-07-24 11:22 . 2009-07-24 11:22 -------- d-----w- c:\program files\Trend Micro
2009-07-24 10:18 . 2009-07-24 10:18 -------- d-----w- c:\program files\Safer Networking
2009-07-23 12:51 . 2009-07-23 12:51 1152 ----a-w- c:\windows\system32\windrv.sys
2009-07-23 12:50 . 2009-07-23 12:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\GetRightToGo
2009-07-23 12:10 . 2009-07-24 09:13 -------- d-----w- c:\program files\WinClamAVShield
2009-07-23 12:07 . 2009-07-23 12:07 -------- d-----w- c:\program files\Crawler
2009-07-23 12:07 . 2009-07-25 07:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Spyware Terminator
2009-07-23 12:07 . 2009-07-23 12:07 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-23 12:07 . 2009-07-26 07:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2009-07-23 12:07 . 2009-07-24 12:38 -------- d-----w- c:\program files\Spyware Terminator
2009-07-23 10:59 . 2009-07-23 10:59 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 10:17 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-23 10:17 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-23 10:14 . 2009-07-23 10:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\PC Tools
2009-07-23 10:13 . 2009-07-23 10:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-07-23 10:13 . 2009-02-10 17:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-07-23 10:13 . 2009-07-26 07:57 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-07-23 10:13 . 2009-07-23 10:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-07-22 13:51 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-22 13:51 . 2009-07-22 13:51 -------- d-----w- c:\program files\Panda Security
2009-07-22 13:41 . 2009-07-22 13:41 -------- d-----w- c:\program files\Windows Defender
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\program files\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Webroot
2009-07-22 11:24 . 2009-05-13 22:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-07-22 11:22 . 2009-07-22 11:31 164 ----a-w- c:\windows\install.dat
2009-07-22 10:44 . 2009-07-22 10:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SITEguard
2009-07-22 10:44 . 2009-07-22 11:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-22 10:44 . 2009-07-22 10:44 -------- d-----w- c:\program files\Common Files\iS3
2009-07-22 10:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 10:03 . 2009-07-24 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 10:03 . 2009-07-22 10:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-22 10:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 09:58 . 2009-06-30 09:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-30 09:58 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-30 07:59 . 2009-06-30 07:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-30 05:57 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 07:31 . 2008-05-13 00:24 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-25 11:52 . 2008-07-19 06:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\BitTorrent
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-22 12:12 . 2009-01-09 23:02 -------- d-----w- c:\program files\AIM Toolbar
2009-07-22 10:48 . 2009-07-22 10:45 2296 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-22 10:46 . 2009-07-22 10:45 736 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-08 19:56 . 2009-01-09 23:57 -------- d-----w- c:\program files\Coupons
2009-06-30 05:52 . 2008-05-10 19:05 -------- d-----w- c:\program files\Lavasoft
2009-06-30 05:52 . 2008-03-13 08:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-30 05:40 . 2008-12-24 09:56 -------- d-----w- c:\program files\CCleaner
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 13:02 . 2007-12-21 02:38 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 10:40 . 2009-05-13 10:40 34062 ----a-w- c:\documents and settings\Matthew Brashear4\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-13 05:15 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 16:57 . 2008-07-29 17:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 16:57 . 2008-07-29 17:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 18:51 345600 ----a-w- c:\windows\system32\localspl.dll
2008-02-02 10:07 . 2008-03-19 02:40 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-03-19 02:40 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-03-19 02:40 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-03-19 02:40 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-03-19 02:40 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-07-23 2173440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TrkWks"=2 (0x2)
"STacSV"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"dmadmin"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\grandMA onPC 5.831\\gmaOnPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 10:57 PM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/22/2009 6:51 AM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/23/2009 3:17 AM 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 4:43 AM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/29/2008 10:11 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/29/2008 10:11 AM 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/23/2009 5:07 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 4:43 AM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/29/2008 10:11 AM 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/29/2008 10:11 AM 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/24/2008 7:46 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SP_RSDRV2
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\docume~1\MATTHE~1\APPLIC~1\Mozilla\Firefox\Profiles\cvu6mhm6.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 81
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 81
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 81
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 00:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-26 1:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 08:09

Pre-Run: 27,424,641,024 bytes free
Post-Run: 27,885,830,144 bytes free

234 --- E O F --- 2009-07-24 04:37

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:29 AM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 3853 bytes

**Bio-Hazard** · 2009-07-26, 11:26

Remove one of your Anti Virus programs.

You are operating multiple Anti Virus programs on your computer:

PCTools Antivirus
AVAST
There is also signs of AVG
Spywareterminator also has option to have ClamAV

It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.

Install Recovery Console via Combofix

***************************************************
IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.
***************************************************

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System
Download the file & save it as it's originally named.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

**Mathers** · 2009-07-31, 19:02

Sorry i am swamped at work... I will post the next data soon. Is that OK? Thank you so much!!!

**Bio-Hazard** · 2009-07-31, 23:51

Hello!

That is ok. Keep me posted on your progress.

**Mathers** · 2009-08-05, 11:54

So, on the windows webpage it is asking me to download "Boot Disks"? Is this what i want?

ALso, i checked my control panel and it appears i am running Service Pack 3, which is not an option....?

And is this going to erase my harddrive? Do i need to remove all my data and files?

Thread: Major Redirect problem/Won't open spybot

Thread Tools

Display

Major Redirect problem/Won't open spybot

DDS And Attach

Rootrepeal

New Reply

Soon

question.

Posting Permissions