-
Major Redirect problem/Won't open spybot
Hello,
So i have a major problem with my computer. It redirects me away from most adware and spybot search pages. Launchs a browser window with advertisments and has played a few audio files in the background of my computer.
I can't open Spybot.
It says "Can't Connect to Server" with AdAware.
CCleaner will run and i have deleted some things with this.
Spyware Terminator will run and delete things, but doesn't help.
I have tried to download Malwarebyes antimalware but it freezes during install. I have even tried doing it in "SAFE MODE" and saving it under a diffferent exe name, but that doesn't help.
Fix Vundo- runs but doesn't help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:38 AM, on 7/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispat...=%s&tbid=60347
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 3432 bytes
Please help. Mathers
-
Hello and Welcome to forums!
My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
- I will be working on your Malware issues this may or may not solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- I f you don't know or understand something please don't hesitate to ask.
- Please DO NOT run any other tools or scans whilst I am helping you.
- It is important that you reply to this thread. Do not start a new topic.
- Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
- Absence of symptoms does not mean that everything is clear.
No Reply Within 4 Days Will Result In Your Topic Being Closed!!
STEP 1
Download DDS
Please download DDS by sUBs from one of the links below and save it to your desktop:
Download DDS and save it to your desktop from:
Link 1
Link 2
Please disable any anti-malware program that will block scripts from running before running DDS.
- Double-Click on dds.scr and a command window will appear. This is normal.
- Shortly after two logs will appear:
- A window will open instructing you save & post the logs
- Save the logs to a convenient place such as your desktop
- Copy the contents of both logs & post in your next reply
STEP 2
RootRepeal - Rootkit Detector
Download RootRepeal.zip and unzip it to your Desktop.
- Double click RootRepeal.exe to start the program
- Click on the Report tab at the bottom of the program window
- Clickthe Scan button
- In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
- Click the OK button
- In the next dialog, select all drives showing
- Click OK to start the scan
The scan can take some time. DO NOT run any other programs while the scan is running
- When the scan is complete, the Save Report button will become available
- Click this and save the report to your Desktop as RootRepeal.txt
- Go to File, then Exit to close the program
Next Reply
Please reply with:
- DDS.txt
- Attach.txt
- RootRepeal.txt
-
DDS And Attach
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-06-26.01)
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/15/2008 11:20:25 AM
System Uptime: 7/25/2009 12:09:52 AM (0 hours ago)
Motherboard: Dell Inc. | | 0TT347
Processor: Intel(R) Core(TM)2 Duo CPU T5470 @ 1.60GHz | Microprocessor | 1180/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 146 GiB total, 25.25 GiB free.
D: is CDROM (CDFS)
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1490 Dual Band WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Manufacturer: Broadcom
Name: Dell Wireless 1490 Dual Band WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4312&SUBSYS_00071028&REV_01\4&AB208E&0&00E1
Service: BCM43XX
==== System Restore Points ===================
RP1: 7/22/2009 1:10:10 AM - System Checkpoint
RP2: 7/22/2009 1:10:11 AM - System Checkpoint
RP3: 7/22/2009 1:10:11 AM - Software Distribution Service 3.0
RP4: 7/22/2009 1:10:11 AM - System Checkpoint
RP5: 7/22/2009 1:10:11 AM - System Checkpoint
RP6: 7/22/2009 1:10:11 AM - System Checkpoint
RP7: 7/22/2009 1:10:12 AM - System Checkpoint
RP8: 7/22/2009 1:10:12 AM - System Checkpoint
RP9: 7/22/2009 1:10:12 AM - System Checkpoint
RP10: 7/22/2009 1:10:12 AM - System Checkpoint
RP11: 7/22/2009 1:10:13 AM - System Checkpoint
RP12: 7/22/2009 1:10:13 AM - System Checkpoint
RP13: 7/22/2009 1:10:13 AM - System Checkpoint
RP14: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP15: 7/22/2009 1:10:14 AM - Software Distribution Service 3.0
RP16: 7/22/2009 1:10:15 AM - System Checkpoint
RP17: 7/22/2009 1:10:15 AM - Software Distribution Service 3.0
RP18: 7/22/2009 1:10:15 AM - System Checkpoint
RP19: 7/22/2009 1:10:16 AM - System Checkpoint
RP20: 7/22/2009 1:10:16 AM - System Checkpoint
RP21: 7/22/2009 1:10:17 AM - System Checkpoint
RP22: 7/22/2009 1:10:17 AM - System Checkpoint
RP23: 7/22/2009 1:10:18 AM - System Checkpoint
RP24: 7/22/2009 1:10:18 AM - System Checkpoint
RP25: 7/22/2009 1:10:19 AM - System Checkpoint
RP26: 7/22/2009 1:10:19 AM - System Checkpoint
RP27: 7/22/2009 1:10:19 AM - System Checkpoint
RP28: 7/22/2009 1:10:20 AM - System Checkpoint
RP29: 7/22/2009 1:10:20 AM - System Checkpoint
RP30: 7/22/2009 1:10:20 AM - System Checkpoint
RP31: 7/22/2009 1:10:21 AM - Software Distribution Service 3.0
RP32: 7/22/2009 1:10:21 AM - System Checkpoint
RP33: 7/22/2009 1:10:22 AM - System Checkpoint
RP34: 7/22/2009 1:10:22 AM - System Checkpoint
==== Installed Programs ======================
==== Event Viewer Messages From Past Week ========
==== End Of File ===========================
And
DDS (Ver_09-06-26.01) - NTFSx86
Run by Matthew Brashear4 at 0:19:54.76 on Sat 07/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1338 [GMT -7:00]
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1335 [VPS 090724-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew Brashear4\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60347
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.crawler.com/search/ie.aspx?tb_id=60347
mCustomizeSearch = hxxp://dnl.crawler.com/support/sa_customize.aspx?TbId=60347
uURLSearchHooks: N/A: {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
TB: {02F7A7EB-89F8-47FF-A75C-52C1060EC144} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath -
============= SERVICES / DRIVERS ===============
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-22 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-23 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-24 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-29 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-24 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-24 138680]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-7-23 21904]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-7-23 826600]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-7-23 28560]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-24 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-24 352920]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-29 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-29 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-24 24652]
=============== Created Last 30 ================
2009-07-24 04:22 <DIR> --d----- c:\program files\Trend Micro
2009-07-24 03:18 <DIR> --d----- c:\program files\Safer Networking
2009-07-23 05:50 <DIR> --d----- c:\docume~1\matthe~1\applic~1\GetRightToGo
2009-07-23 05:10 <DIR> --d----- c:\program files\WinClamAVShield
2009-07-23 05:07 <DIR> --d----- c:\program files\Crawler
2009-07-23 05:07 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\program files\Spyware Terminator
2009-07-23 05:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-07-23 03:59 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 03:14 <DIR> --d----- c:\docume~1\matthe~1\applic~1\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-23 03:13 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-07-23 03:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-22 06:51 <DIR> --d----- c:\program files\Panda Security
2009-07-22 04:24 <DIR> --d----- c:\program files\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\matthe~1\applic~1\Webroot
2009-07-22 04:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-07-22 03:44 <DIR> --d----- c:\program files\common files\iS3
2009-07-22 03:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-07-22 03:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 03:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
==================== Find3M ====================
2008-12-26 13:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122620081227\index.dat
============= FINISH: 0:21:42.00 ===============
-
Rootrepeal
Ok, i had a problem getting this to complete. It says "could not read system registry. Contact the author"
But here is what it came up with.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/07/25 00:28
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C770000 Size: 778240 File Visible: No Signed: -
Status: -
Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBA780000 Size: 2560 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5F74000 Size: 49152 File Visible: No Signed: -
Status: -
Stealth Objects
-------------------
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: winlogon.exe (PID: 752) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: winlogon.exe (PID: 752) Address: 0x00980000 Address: 49152
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: services.exe (PID: 800) Address: 0x00a80000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: services.exe (PID: 800) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: lsass.exe (PID: 812) Address: 0x00b10000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: lsass.exe (PID: 812) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 988) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UACbirtlropgx.dll]
Process: svchost.exe (PID: 988) Address: 0x00bc0000 Address: 73728
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 988) Address: 0x00e60000 Address: 45056
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x03100000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 988) Address: 0x03460000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 988) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1080) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1080) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1080) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1080) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x00bd0000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: MsMpEng.exe (PID: 1180) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1224) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1224) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1224) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1224) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1320) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1320) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1320) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1320) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1408) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1408) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1408) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1408) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x00e30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: WLTRYSVC.EXE (PID: 1456) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x00d30000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: bcmwltry.exe (PID: 1488) Address: 0x01030000 Address: 49152
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x00e30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: aswUpdSv.exe (PID: 1552) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashServ.exe (PID: 1700) Address: 0x00e40000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashServ.exe (PID: 1700) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00d50000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x00e00000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: Explorer.EXE (PID: 1928) Address: 0x10000000 Address: 77824
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ashDisp.exe (PID: 356) Address: 0x00e40000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ashDisp.exe (PID: 356) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: ctfmon.exe (PID: 372) Address: 0x00d90000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: ctfmon.exe (PID: 372) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: spoolsv.exe (PID: 1300) Address: 0x00d80000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1740) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1740) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1740) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1740) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 1884) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 1884) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 1884) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 1884) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2008) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2008) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2008) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2008) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: PCTAVSvc.exe (PID: 2788) Address: 0x01160000 Address: 49152
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 2804) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 2804) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 2804) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 2804) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x00c20000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: sp_rsser.exe (PID: 2892) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACtlaromxdpx.dll]
Process: svchost.exe (PID: 3028) Address: 0x00770000 Address: 77824
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: svchost.exe (PID: 3028) Address: 0x00a90000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: svchost.exe (PID: 3028) Address: 0x00b20000 Address: 49152
Object: Hidden Module [Name: UAC50ea.tmpmqfulh.dll]
Process: svchost.exe (PID: 3028) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: alg.exe (PID: 2172) Address: 0x00b30000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: alg.exe (PID: 2172) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3516) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3516) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3572) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3572) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x01070000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: CToolbar.exe (PID: 3980) Address: 0x10000000 Address: 45056
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: iexplore.exe (PID: 3500) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: iexplore.exe (PID: 3500) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3312) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1940) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 3128) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00b70000 Address: 45056
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x00fd0000 Address: 49152
Object: Hidden Module [Name: UACessxmqfulh.dll]
Process: Iexplore.exe (PID: 1972) Address: 0x10000000 Address: 217088
Object: Hidden Module [Name: UACsnoeypbqbp.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x00fc0000 Address: 49152
Object: Hidden Module [Name: UACyvyyewqxvn.dll]
Process: RootRepeal.exe (PID: 1968) Address: 0x10000000 Address: 45056
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89d16020 Address: 3223
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89d114b8 Address: 2889
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89d095c8 Address: 127
Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89d00698 Address: 2409
Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89e22b20 Address: 1248
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89e27c20 Address: 139
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d76870 Address: 1937
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89eba180 Address: 293
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89e8b940 Address: 1729
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ef8358 Address: 3240
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89e8d2d8 Address: 3369
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e8b200 Address: 719
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a843698 Address: 2408
Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89eec170 Address: 3728
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec9e70 Address: 401
Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e67558 Address: 2728
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e609e8 Address: 907
Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89edf0f0 Address: 2735
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89f13190 Address: 551
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a84afa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89e7f600 Address: 2560
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89ee6fa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a847178 Address: 3720
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e93220 Address: 3553
Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89e87580 Address: 1337
Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89b01098 Address: 958
Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89ed2fa8 Address: 88
Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89f02348 Address: 1706
==EOF==
-
-
New Reply
Thank you so much... by the way.
ComboFix 09-07-25.04 - Matthew Brashear4 07/26/2009 0:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1428 [GMT -7:00]
Running from: c:\documents and settings\Matthew Brashear4\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning enabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Matthew Brashear4\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Tools AntiVirus.lnk
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\9446.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACavncnkdabu.sys
c:\windows\system32\net.net
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\UACbaoylvdkmr.dat
c:\windows\system32\UACbirtlropgx.dll
c:\windows\system32\UACessxmqfulh.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmkgmmtowdl.db
c:\windows\system32\UACsnoeypbqbp.dll
c:\windows\system32\UACtlaromxdpx.dll
c:\windows\system32\UACyvyyewqxvn.dll
c:\windows\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_UACd.sys
((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.
2009-07-24 11:43 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 11:43 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 11:43 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 11:43 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 11:43 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 11:43 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 11:43 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 11:43 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 11:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 11:43 . 2009-07-24 11:43 -------- d-----w- c:\program files\Alwil Software
2009-07-24 11:22 . 2009-07-24 11:22 -------- d-----w- c:\program files\Trend Micro
2009-07-24 10:18 . 2009-07-24 10:18 -------- d-----w- c:\program files\Safer Networking
2009-07-23 12:51 . 2009-07-23 12:51 1152 ----a-w- c:\windows\system32\windrv.sys
2009-07-23 12:50 . 2009-07-23 12:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\GetRightToGo
2009-07-23 12:10 . 2009-07-24 09:13 -------- d-----w- c:\program files\WinClamAVShield
2009-07-23 12:07 . 2009-07-23 12:07 -------- d-----w- c:\program files\Crawler
2009-07-23 12:07 . 2009-07-25 07:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Spyware Terminator
2009-07-23 12:07 . 2009-07-23 12:07 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-07-23 12:07 . 2009-07-26 07:59 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2009-07-23 12:07 . 2009-07-24 12:38 -------- d-----w- c:\program files\Spyware Terminator
2009-07-23 10:59 . 2009-07-23 10:59 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-23 10:17 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-23 10:17 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-23 10:14 . 2009-07-23 10:14 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\PC Tools
2009-07-23 10:13 . 2009-07-23 10:17 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVRec.sys
2009-07-23 10:13 . 2009-02-10 17:13 28560 ----a-w- c:\windows\system32\drivers\AVHook.sys
2009-07-23 10:13 . 2009-02-10 17:13 21904 ----a-w- c:\windows\system32\drivers\AVFilter.sys
2009-07-23 10:13 . 2009-07-26 07:57 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-07-23 10:13 . 2009-07-23 10:14 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\PC Tools
2009-07-22 13:51 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-22 13:51 . 2009-07-22 13:51 -------- d-----w- c:\program files\Panda Security
2009-07-22 13:41 . 2009-07-22 13:41 -------- d-----w- c:\program files\Windows Defender
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\program files\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\Webroot
2009-07-22 11:24 . 2009-07-22 11:24 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Webroot
2009-07-22 11:24 . 2009-05-13 22:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-07-22 11:22 . 2009-07-22 11:31 164 ----a-w- c:\windows\install.dat
2009-07-22 10:44 . 2009-07-22 10:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SITEguard
2009-07-22 10:44 . 2009-07-22 11:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\STOPzilla!
2009-07-22 10:44 . 2009-07-22 10:44 -------- d-----w- c:\program files\Common Files\iS3
2009-07-22 10:03 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 10:03 . 2009-07-24 11:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 10:03 . 2009-07-22 10:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-22 10:03 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 09:58 . 2009-06-30 09:58 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-30 09:58 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-30 07:59 . 2009-06-30 07:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-30 05:57 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 07:31 . 2008-05-13 00:24 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-25 11:52 . 2008-07-19 06:50 -------- d-----w- c:\documents and settings\Matthew Brashear4\Application Data\BitTorrent
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-23 10:06 . 2008-07-29 16:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-22 12:12 . 2009-01-09 23:02 -------- d-----w- c:\program files\AIM Toolbar
2009-07-22 10:48 . 2009-07-22 10:45 2296 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-22 10:46 . 2009-07-22 10:45 736 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-08 19:56 . 2009-01-09 23:57 -------- d-----w- c:\program files\Coupons
2009-06-30 05:52 . 2008-05-10 19:05 -------- d-----w- c:\program files\Lavasoft
2009-06-30 05:52 . 2008-03-13 08:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-06-30 05:40 . 2008-12-24 09:56 -------- d-----w- c:\program files\CCleaner
2009-06-16 14:36 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 18:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 13:02 . 2007-12-21 02:38 -------- d-----w- c:\program files\Microsoft Works
2009-06-03 19:09 . 2004-08-10 18:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 10:40 . 2009-05-13 10:40 34062 ----a-w- c:\documents and settings\Matthew Brashear4\Application Data\Move Networks\ie_bin\Uninst.exe
2009-05-13 05:15 . 2004-08-10 18:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 16:57 . 2008-07-29 17:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 16:57 . 2008-07-29 17:11 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 16:57 . 2008-07-29 17:11 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2004-08-10 18:51 345600 ----a-w- c:\windows\system32\localspl.dll
2008-02-02 10:07 . 2008-03-19 02:40 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-02 10:07 . 2008-03-19 02:40 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-02 10:07 . 2008-03-19 02:40 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-02 10:07 . 2008-03-19 02:40 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-02 10:07 . 2008-03-19 02:40 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-07-23 2173440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TrkWks"=2 (0x2)
"STacSV"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Fax"=2 (0x2)
"dmadmin"=3 (0x3)
"Bonjour Service"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MA Lighting Technologies\\grandMA\\grandMA onPC 5.831\\gmaOnPC.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/29/2009 10:57 PM 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/22/2009 6:51 AM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/23/2009 3:17 AM 130936]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 6:27 PM 29808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 4:43 AM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/29/2008 10:11 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/29/2008 10:11 AM 108552]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [7/23/2009 5:07 AM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 4:43 AM 20560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/29/2008 10:11 AM 908568]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/29/2008 10:11 AM 298776]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/24/2008 7:46 PM 24652]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - SP_RSDRV2
*Deregistered* - mchInjDrv
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: Crawler Search - tbr:iemenu
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: mgm-mirage.com\secure03
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
FF - ProfilePath - c:\docume~1\MATTHE~1\APPLIC~1\Mozilla\Firefox\Profiles\cvu6mhm6.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 81
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 81
FF - prefs.js: network.proxy.ssl - 127.0.0.1
FF - prefs.js: network.proxy.ssl_port - 81
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 00:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-07-26 1:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 08:09
Pre-Run: 27,424,641,024 bytes free
Post-Run: 27,885,830,144 bytes free
234 --- E O F --- 2009-07-24 04:37
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:29 AM, on 7/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_cu...spx?TbId=60347
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 3853 bytes
-
-
Soon
Sorry i am swamped at work... I will post the next data soon. Is that OK? Thank you so much!!!
-
Hello!
That is ok. Keep me posted on your progress.
-
question.
So, on the windows webpage it is asking me to download "Boot Disks"? Is this what i want?
ALso, i checked my control panel and it appears i am running Service Pack 3, which is not an option....?
And is this going to erase my harddrive? Do i need to remove all my data and files?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules