Problems with internet connectivity -(Resolved)

[dshap]

Most notable things that are affected are in iTunes it always says "Accessing iTunes Store" and I can't post reviews on iPhone apps and stuff. Also, Steam crashes when I log in which I've read is due to virus(es). CWSShredder can't update itself. And I'm pretty sure there are issues with Gmail and other web apps sometimes.


I ran a fully updated Spybot S&D and it found 1 object and supposedly removed it (it was a UAC injector registry infection - like 3 keys).

I ran a fully updated Avast! virus scan and it found the following:

C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP37\A0007199.sys
Win32:Alureon-BX [Rtk]
Rootkit


C:\WINDOWS\system32\wiawow32.sys
Win32:Trojan-gen {Other}
Virus/Worm

and *supposedly* fixed them - can't ever be too sure though.

I ran the Kaspersky free online scan and it found the following:

C:\WINDOWS\system32\drivers\6953d92cb3fa36.sys Infected: Trojan-Dropper.Win32.Agent.awen

I've tried deleting that file multiple times and it just won't go away - even in safe mode.

Finally I think I should mention that when I shutdown/restart my computer, I pretty much always get a BSOD that has the following information:

BAD_POOL_HEADER

STOP: 0x00000019 (0x00000020, 0xE19C58C8, 0xE19C5980, 0x0C17060F)


If anyone can help me out I'd really appreciate it. I ran HJT and this is what it spat out:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:12 PM, on 7/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243841178109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\Manson\liser.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: e5yw3yhaqghraewh3ye3hbsshsnqqa80 - Unknown owner - C:\WINDOWS\e5yw3yhaqghraewh3ye3hbsshsnqqa81.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5844 bytes


That "liser.exe" does not look too friendly...no idea what to do with it though.

Thanks so much for any help in advance, as always.

- dshap

 

[katana]

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. Please Read All Instructions Carefully
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you
4. Failure to reply within 5 days will result in the topic being closed.
5. Please continue to respond until I give you the "All Clear"
   (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------


Step 1

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
• If requested, please reboot
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

----------------------------------------------------------------------------------------
Step 2


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• You must download it to and run it from your Desktop
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply
• Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

----------------------------------------------------------------------------------------
Step 3


Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• MalwareBytes Log
• Combofix Log
• Installed Programs List
• How are things running now ?

 

[dshap]

Malwarebytes' Anti-Malware 1.39
Database version: 2476
Windows 5.1.2600 Service Pack 3

7/21/2009 9:51:20 PM
mbam-log-2009-07-21 (21-51-20).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140974
Time elapsed: 24 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\e5yw3yhaqghraewh3ye3hbsshsnqqa80 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\e5yw3yhaqghraewh3ye3hbsshsnqqa80 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\e5yw3yhaqghraewh3ye3hbsshsnqqa80 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Manson (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\e5yw3yhaqghraewh3ye3hbsshsnqqa81.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACcntmhxfyecjberg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACfoklptwmdepvuui.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACmtetpaumtonwkgl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACoevmawahgqoaykk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACwevgrxvrerujexg.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACxiqkuuypiopqjnq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\UACyyuecbqobsmawyfvm.dll (Trojan.Agent) -> Quarantined and deleted successfully.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






ComboFix 09-07-21.02 - Daniel 07/21/2009 22:01.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1662 [GMT -4:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\92854526.ini
c:\documents and settings\Daniel\Application Data\.#
c:\windows\system32\UACthoroveckrjsrod.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UACD.SYS
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2009-07-22 01:23 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-22 01:23 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 17:24 . 2009-07-19 17:24 -------- d-----w- c:\program files\Trend Micro
2009-07-19 02:38 . 2009-07-19 17:22 -------- d-----w- c:\program files\Steam
2009-07-18 15:24 . 2009-07-18 15:24 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-18 15:23 . 2009-07-18 15:24 -------- d-----w- c:\program files\Safari
2009-07-18 15:10 . 2009-07-18 15:10 -------- d-----w- c:\program files\iPod
2009-07-18 15:10 . 2009-07-18 15:10 -------- d-----w- c:\program files\iTunes
2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-12 18:59 . 2009-07-12 18:59 -------- d-----w- c:\program files\Bonjour
2009-07-12 18:59 . 2009-07-12 18:59 -------- d-----w- c:\program files\QuickTime
2009-07-12 18:58 . 2009-07-12 18:58 -------- d-----w- c:\program files\Apple Software Update
2009-07-12 18:58 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-12 18:58 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-12 18:58 . 2009-07-18 15:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-11 05:09 . 2009-07-21 23:17 -------- d-----w- C:\NTDLS
2009-07-11 01:46 . 2009-07-11 01:46 -------- d-----w- c:\documents and settings\Daniel\.oanda
2009-07-02 23:44 . 2009-07-20 01:03 -------- d-----w- c:\documents and settings\Daniel\Application Data\mIRC
2009-07-02 23:44 . 2009-07-20 00:57 -------- d-----w- c:\program files\mIRC
2009-07-02 22:53 . 2009-06-30 23:19 106496 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-02 00:17 . 2009-07-02 00:17 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-07-01 22:19 . 2009-07-17 22:39 -------- d-----w- c:\documents and settings\Daniel\Application Data\DC++
2009-07-01 22:19 . 2009-07-01 22:19 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\DC++
2009-07-01 22:17 . 2009-07-01 22:17 -------- d-----w- c:\program files\NetLimiter
2009-07-01 22:16 . 2009-07-01 22:16 -------- d-----w- c:\documents and settings\Daniel\Application Data\LockTime
2009-07-01 22:16 . 2009-07-01 22:16 -------- d-----w- c:\program files\DC++
2009-06-23 23:31 . 2009-06-23 23:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-22 23:42 . 2009-06-27 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\92854526
2009-06-22 23:42 . 2009-06-27 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\12844534
2009-06-22 23:42 . 2009-06-22 23:42 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 00:46 . 2009-06-01 09:25 -------- d-----w- c:\documents and settings\Daniel\Application Data\uTorrent
2009-07-21 00:46 . 2009-06-09 20:43 -------- d-----w- c:\program files\PeerGuardian2
2009-07-19 21:06 . 2009-06-02 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-19 20:41 . 2009-06-13 02:45 -------- d-----w- c:\program files\Warcraft III
2009-07-19 19:22 . 2009-06-01 08:54 -------- d-----w- c:\program files\FlashFXP
2009-07-19 17:39 . 2009-06-02 05:10 34 ----a-w- c:\documents and settings\Daniel\jagex_runescape_preferences.dat
2009-07-19 17:18 . 2004-08-20 22:18 67584 ----a-w- c:\windows\system32\drivers\6953d92cb3fa36.sys
2009-07-19 05:22 . 2009-06-02 03:09 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2009-07-19 05:06 . 2009-06-02 03:11 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2009-07-18 15:24 . 2009-06-01 09:49 -------- d-----w- c:\documents and settings\Daniel\Application Data\Apple Computer
2009-07-17 02:04 . 2009-06-13 02:59 -------- d-----w- c:\program files\WC3Banlist
2009-07-12 18:59 . 2009-06-01 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-04 19:10 . 2009-06-20 19:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-02 01:49 . 2009-06-02 00:44 -------- d-----w- c:\documents and settings\Daniel\Application Data\X-Chat 2
2009-06-27 14:33 . 2009-06-02 07:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 07:07 . 2009-06-01 09:38 -------- d-----w- c:\program files\Google
2009-06-21 22:00 . 2006-11-07 03:05 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 02:30 . 2009-06-01 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-20 20:17 . 2009-06-20 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-20 20:15 . 2009-06-20 20:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-20 20:15 . 2009-06-01 08:22 -------- d-----w- c:\program files\MSBuild
2009-06-20 20:13 . 2009-06-20 20:13 -------- d-----w- c:\program files\Microsoft.NET
2009-06-20 20:11 . 2009-06-20 20:11 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-20 17:27 . 2009-06-20 17:27 -------- d-----w- c:\program files\Xi
2009-06-14 16:25 . 2009-06-14 16:25 -------- d-----w- c:\program files\Common Files\Intel
2009-06-14 16:25 . 2009-06-14 16:25 -------- d-----w- c:\program files\CounterPath
2009-06-13 03:00 . 2009-06-13 03:00 -------- d-----w- c:\program files\WinPcap
2009-06-13 02:54 . 2009-06-13 02:47 98256 ----a-w- c:\windows\War3Unin.dat
2009-06-13 02:50 . 2009-06-13 02:47 2829 ----a-w- c:\windows\War3Unin.pif
2009-06-13 02:50 . 2009-06-13 02:47 139264 ----a-w- c:\windows\War3Unin.exe
2009-06-13 02:43 . 2009-06-13 02:43 223128 ----a-w- c:\windows\system32\drivers\dtscsi.sys
2009-06-13 02:43 . 2009-06-13 02:43 -------- d-----w- c:\program files\DAEMON Tools
2009-06-13 02:40 . 2009-06-13 02:40 96384 ----a-w- c:\windows\system32\drivers\sptd4589.sys
2009-06-13 02:40 . 2009-06-13 02:40 643072 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-03 06:34 . 2009-06-01 19:21 -------- d-----w- c:\documents and settings\Daniel\Application Data\SSH
2009-06-02 05:08 . 2009-06-02 05:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 05:08 . 2009-06-02 05:08 -------- d-----w- c:\program files\Java
2009-06-02 05:07 . 2009-06-02 05:07 152576 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-02 03:28 . 2009-06-02 03:28 -------- d-----w- c:\documents and settings\Daniel\Application Data\AdobeUM
2009-06-02 03:11 . 2009-06-02 03:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----w- c:\program files\Common Files\Skype
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----r- c:\program files\Skype
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-02 00:44 . 2009-06-02 00:44 -------- d-----w- c:\program files\xchat
2009-06-01 23:25 . 2009-06-01 23:25 -------- d-----w- c:\program files\CCleaner
2009-06-01 19:20 . 2009-06-01 19:20 -------- d-----w- c:\program files\SSH Communications Security
2009-06-01 19:20 . 2006-11-07 02:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 10:34 . 2009-06-01 10:34 -------- d-----w- c:\program files\Alwil Software
2009-06-01 10:09 . 2009-06-01 08:12 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-01 09:55 . 2009-06-01 09:55 -------- d-----w- c:\program files\madmax
2009-06-01 09:49 . 2009-06-01 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-01 09:45 . 2009-06-01 09:45 -------- d-----w- c:\documents and settings\Daniel\Application Data\Media Player Classic
2009-06-01 09:44 . 2009-06-01 09:44 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-01 09:26 . 2009-06-01 09:26 -------- d-----w- c:\program files\uTorrent
2009-06-01 09:19 . 2009-06-01 09:19 53248 ----a-w- c:\windows\system32\suppdll.dll
2009-06-01 09:19 . 2009-06-01 09:19 35363 ----a-w- c:\windows\system32\windrvNT.sys
2009-06-01 09:18 . 2009-06-01 09:18 -------- d-----w- c:\program files\Easy Video Joiner
2009-06-01 09:05 . 2009-06-01 09:05 167376 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\2sy5vti7.default\FlashGot.exe
2009-06-01 08:50 . 2009-06-01 08:50 0 ----a-w- c:\windows\nsreg.dat
2009-06-01 08:47 . 2009-06-01 08:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-01 08:41 . 2009-06-01 08:41 -------- d-----w- c:\program files\DIFX
2009-06-01 08:33 . 2009-06-01 08:33 1915520 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-01 08:30 . 2009-06-01 08:30 -------- d-----w- c:\documents and settings\Daniel\Application Data\Windows Search
2009-06-01 08:21 . 2009-06-01 08:21 -------- d-----w- c:\program files\Reference Assemblies
2009-06-01 08:10 . 2009-06-01 08:10 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-01 07:54 . 2006-11-07 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-01 07:54 . 2006-11-07 02:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 07:54 . 2006-11-07 03:00 -------- d-----w- c:\program files\ASUS
2009-06-01 07:52 . 2006-11-07 02:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-01 07:11 . 2006-11-07 02:44 -------- d-----w- c:\program files\ASUSTek
2009-06-01 07:03 . 2009-06-01 07:03 546 ----a-w- c:\windows\system32\ABA8JS.DAT
2009-04-23 18:22 . 2006-11-07 02:58 141568 ----a-w- c:\windows\system32\drivers\Rtenicxp.sys
2009-07-18 00:50 . 2009-06-01 08:49 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-05 03:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 2F8C2B6E052A4C6EC5575EA10F8E5191 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-01 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 761945]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-15 90112]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-03 61440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-01 1519616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6953d92cb3fa36.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MultiFrame.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MultiFrame.lnk
backup=c:\windows\pss\MultiFrame.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"cisvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/1/2009 6:34 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/1/2009 6:34 AM 20560]
S1 6953d92cb3fa36;6953d92cb3fa36;c:\windows\system32\drivers\6953d92cb3fa36.sys [8/20/2004 6:18 PM 67584]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: oanda.com\fxtrade
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\2sy5vti7.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 368 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(952)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll

- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ATK0100\ATKOSD.exe
.
**************************************************************************
.
Completion time: 2009-07-22 22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 02:10

Pre-Run: 28,268,826,624 bytes free
Post-Run: 28,157,246,464 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

301 --- E O F --- 2009-06-01 07:58





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Apple Mobile Device Support
Apple Software Update
Asus MultiFrame
ATK0100 ACPI UTILITY
avast! Antivirus
Bonjour
CCleaner (remove only)
DC++ 0.750
Easy Video Joiner 5.21
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 13
K-Lite Mega Codec Pack 4.8.5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Mozilla Firefox (3.5.1)
Net Transport 1.90.267
NetLimiter 1.30 (remove only)
NVIDIA Drivers
PeerGuardian 2.0
Power4 Gear
QuickTime
REALTEK PCIE NIC Driver
Safari
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Skype™ 4.0
SMSC IrCC V5.1.3600.9
SoundMAX
Spybot - Search & Destroy
SSH Secure Shell
Steam
Synaptics Pointing Device Driver
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WC3Banlist
Windows Driver Package - Intel (NETw3x32) net (10/17/2006 10.5.1.72)
Windows Driver Package - Intel (w29n51) net (10/25/2006 9.0.4.26)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
XChat 2 (remove only)
X-Lite 3.0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




And here's an updated HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:07 PM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243841178109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5666 bytes




~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I'm still having the same connectivity issues with iTunes & Steam which I think is due to infections. How do my logs look?

Thank you very much for your help!

p.s. I am VERY good about my file sharing activity and I scan every file that I download. I also do not leave these programs running when I am not downloading files and they are not configured to have access to my filesystem.

 

[katana]

Information
1) How do my logs look?
~
2) p.s. I am VERY good about my file sharing activity and I scan every file that I download.
[/quote]
1) There are still some signs of infection.
2) The forum policy is that all P2P must be removed.


----------------------------------------------------------------------------------------
Step 1

Custom CFScript

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  http://forums.spybot.info/showthread.php?p=323774#post323774
  Comment:: Katana
  Collect::[4]
  c:\windows\system32\drivers\6953d92cb3fa36.sys
  
  Folder::
  c:\documents and settings\All Users\Application Data\92854526
  c:\documents and settings\All Users\Application Data\12844534
  c:\documents and settings\Daniel\Application Data\uTorrent
  
  Registry::
  [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6953d92cb3fa36.sys]
  
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
  "c:\\Program Files\\uTorrent\\uTorrent.exe"=
  Driver::
  6953d92cb3fa36
  
  ADS::

• Save this as CFScript.txt and place it on your desktop.
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• **Note**
  When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

• Combofix Log
• Kaspersky Log
• How are things running now ?

---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

• Please go to this link Adobe Acrobat Reader Download Link
• Click Download
• On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
• Click the Continue button
• Click Run, and click Run again
• Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

• Scroll down to where it says "Java SE Runtime Environment (JRE)".
• Click the "Download" button to the right.
• • Platform = Windows
  • Language = Multi Language
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

!! Close all browser windows !!

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

 

[dshap]

ComboFix 09-07-21.02 - Daniel 07/22/2009 19:48.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1665 [GMT -4:00]
Running from: c:\documents and settings\Daniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Daniel\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12844534
c:\documents and settings\All Users\Application Data\12844534\12844534.glu
c:\documents and settings\All Users\Application Data\92854526
c:\documents and settings\Daniel\Application Data\uTorrent
c:\documents and settings\Daniel\Application Data\uTorrent\Building Telephony Systems With Asterisk.torrent
c:\documents and settings\Daniel\Application Data\uTorrent\dht.dat
c:\documents and settings\Daniel\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Daniel\Application Data\uTorrent\Entourage S06E01.torrent
c:\documents and settings\Daniel\Application Data\uTorrent\Entourage S06E02.torrent
c:\documents and settings\Daniel\Application Data\uTorrent\Friedl - Mastering Regular Expressions 3e (O'Reilly, 2006).chm.torrent
c:\documents and settings\Daniel\Application Data\uTorrent\Oreilly.Learning.RedHat.Linux.3rd.Edition.eBook-LiB.torrent
c:\documents and settings\Daniel\Application Data\uTorrent\resume.dat
c:\documents and settings\Daniel\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Daniel\Application Data\uTorrent\rss.dat
c:\documents and settings\Daniel\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Daniel\Application Data\uTorrent\settings.dat
c:\documents and settings\Daniel\Application Data\uTorrent\settings.dat.old
c:\windows\Temp\1284437.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_6953d92cb3fa36


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 03:04 . 2009-07-22 03:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-22 02:18 . 2009-07-22 23:54 -------- d-----w- c:\program files\Steam
2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\documents and settings\Daniel\Application Data\Malwarebytes
2009-07-22 01:23 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-22 01:23 . 2009-07-22 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-22 01:23 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 17:24 . 2009-07-19 17:24 -------- d-----w- c:\program files\Trend Micro
2009-07-18 15:24 . 2009-07-18 15:24 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-18 15:23 . 2009-07-18 15:24 -------- d-----w- c:\program files\Safari
2009-07-18 15:10 . 2009-07-18 15:10 -------- d-----w- c:\program files\iPod
2009-07-18 15:10 . 2009-07-18 15:10 -------- d-----w- c:\program files\iTunes
2009-07-13 18:22 . 2009-07-13 18:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-12 18:59 . 2009-07-12 18:59 -------- d-----w- c:\program files\Bonjour
2009-07-12 18:59 . 2009-07-12 18:59 -------- d-----w- c:\program files\QuickTime
2009-07-12 18:58 . 2009-07-12 18:58 -------- d-----w- c:\program files\Apple Software Update
2009-07-12 18:58 . 2009-06-05 15:42 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-12 18:58 . 2009-06-05 15:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-12 18:58 . 2009-07-18 15:10 -------- d-----w- c:\program files\Common Files\Apple
2009-07-11 05:09 . 2009-07-21 23:17 -------- d-----w- C:\NTDLS
2009-07-11 01:46 . 2009-07-11 01:46 -------- d-----w- c:\documents and settings\Daniel\.oanda
2009-07-02 23:44 . 2009-07-20 01:03 -------- d-----w- c:\documents and settings\Daniel\Application Data\mIRC
2009-07-02 23:44 . 2009-07-20 00:57 -------- d-----w- c:\program files\mIRC
2009-07-02 22:53 . 2009-06-30 23:19 106496 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-02 00:17 . 2009-07-02 00:17 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-07-01 22:19 . 2009-07-17 22:39 -------- d-----w- c:\documents and settings\Daniel\Application Data\DC++
2009-07-01 22:19 . 2009-07-01 22:19 -------- d-----w- c:\documents and settings\Daniel\Local Settings\Application Data\DC++
2009-07-01 22:17 . 2009-07-01 22:17 -------- d-----w- c:\program files\NetLimiter
2009-07-01 22:16 . 2009-07-01 22:16 -------- d-----w- c:\documents and settings\Daniel\Application Data\LockTime
2009-07-01 22:16 . 2009-07-01 22:16 -------- d-----w- c:\program files\DC++
2009-06-23 23:31 . 2009-06-23 23:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 00:46 . 2009-06-09 20:43 -------- d-----w- c:\program files\PeerGuardian2
2009-07-19 21:06 . 2009-06-02 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-19 20:41 . 2009-06-13 02:45 -------- d-----w- c:\program files\Warcraft III
2009-07-19 19:22 . 2009-06-01 08:54 -------- d-----w- c:\program files\FlashFXP
2009-07-19 17:39 . 2009-06-02 05:10 34 ----a-w- c:\documents and settings\Daniel\jagex_runescape_preferences.dat
2009-07-19 05:22 . 2009-06-02 03:09 -------- d-----w- c:\documents and settings\Daniel\Application Data\Skype
2009-07-19 05:06 . 2009-06-02 03:11 -------- d-----w- c:\documents and settings\Daniel\Application Data\skypePM
2009-07-18 15:24 . 2009-06-01 09:49 -------- d-----w- c:\documents and settings\Daniel\Application Data\Apple Computer
2009-07-17 02:04 . 2009-06-13 02:59 -------- d-----w- c:\program files\WC3Banlist
2009-07-12 18:59 . 2009-06-01 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-04 19:10 . 2009-06-20 19:59 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-02 01:49 . 2009-06-02 00:44 -------- d-----w- c:\documents and settings\Daniel\Application Data\X-Chat 2
2009-06-27 14:33 . 2009-06-02 07:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 07:07 . 2009-06-01 09:38 -------- d-----w- c:\program files\Google
2009-06-21 22:00 . 2006-11-07 03:05 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-21 02:30 . 2009-06-01 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-20 20:17 . 2009-06-20 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-20 20:15 . 2009-06-20 20:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-20 20:15 . 2009-06-01 08:22 -------- d-----w- c:\program files\MSBuild
2009-06-20 20:13 . 2009-06-20 20:13 -------- d-----w- c:\program files\Microsoft.NET
2009-06-20 20:11 . 2009-06-20 20:11 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-20 17:27 . 2009-06-20 17:27 -------- d-----w- c:\program files\Xi
2009-06-14 16:25 . 2009-06-14 16:25 -------- d-----w- c:\program files\Common Files\Intel
2009-06-14 16:25 . 2009-06-14 16:25 -------- d-----w- c:\program files\CounterPath
2009-06-13 03:00 . 2009-06-13 03:00 -------- d-----w- c:\program files\WinPcap
2009-06-13 02:54 . 2009-06-13 02:47 98256 ----a-w- c:\windows\War3Unin.dat
2009-06-13 02:50 . 2009-06-13 02:47 2829 ----a-w- c:\windows\War3Unin.pif
2009-06-13 02:50 . 2009-06-13 02:47 139264 ----a-w- c:\windows\War3Unin.exe
2009-06-13 02:43 . 2009-06-13 02:43 223128 ----a-w- c:\windows\system32\drivers\dtscsi.sys
2009-06-13 02:43 . 2009-06-13 02:43 -------- d-----w- c:\program files\DAEMON Tools
2009-06-13 02:40 . 2009-06-13 02:40 96384 ----a-w- c:\windows\system32\drivers\sptd4589.sys
2009-06-13 02:40 . 2009-06-13 02:40 643072 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-03 06:34 . 2009-06-01 19:21 -------- d-----w- c:\documents and settings\Daniel\Application Data\SSH
2009-06-02 05:08 . 2009-06-02 05:08 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-02 05:08 . 2009-06-02 05:08 -------- d-----w- c:\program files\Java
2009-06-02 05:07 . 2009-06-02 05:07 152576 ----a-w- c:\documents and settings\Daniel\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-02 03:28 . 2009-06-02 03:28 -------- d-----w- c:\documents and settings\Daniel\Application Data\AdobeUM
2009-06-02 03:11 . 2009-06-02 03:11 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----w- c:\program files\Common Files\Skype
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----r- c:\program files\Skype
2009-06-02 03:09 . 2009-06-02 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-02 00:44 . 2009-06-02 00:44 -------- d-----w- c:\program files\xchat
2009-06-01 23:25 . 2009-06-01 23:25 -------- d-----w- c:\program files\CCleaner
2009-06-01 19:20 . 2009-06-01 19:20 -------- d-----w- c:\program files\SSH Communications Security
2009-06-01 19:20 . 2006-11-07 02:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 10:34 . 2009-06-01 10:34 -------- d-----w- c:\program files\Alwil Software
2009-06-01 10:09 . 2009-06-01 08:12 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-01 09:55 . 2009-06-01 09:55 -------- d-----w- c:\program files\madmax
2009-06-01 09:49 . 2009-06-01 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-01 09:45 . 2009-06-01 09:45 -------- d-----w- c:\documents and settings\Daniel\Application Data\Media Player Classic
2009-06-01 09:44 . 2009-06-01 09:44 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-01 09:26 . 2009-06-01 09:26 -------- d-----w- c:\program files\uTorrent
2009-06-01 09:19 . 2009-06-01 09:19 53248 ----a-w- c:\windows\system32\suppdll.dll
2009-06-01 09:19 . 2009-06-01 09:19 35363 ----a-w- c:\windows\system32\windrvNT.sys
2009-06-01 09:18 . 2009-06-01 09:18 -------- d-----w- c:\program files\Easy Video Joiner
2009-06-01 09:05 . 2009-06-01 09:05 167376 ----a-w- c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\2sy5vti7.default\FlashGot.exe
2009-06-01 08:50 . 2009-06-01 08:50 0 ----a-w- c:\windows\nsreg.dat
2009-06-01 08:47 . 2009-06-01 08:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-01 08:41 . 2009-06-01 08:41 -------- d-----w- c:\program files\DIFX
2009-06-01 08:33 . 2009-06-01 08:33 1915520 ----a-w- c:\documents and settings\Daniel\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-01 08:30 . 2009-06-01 08:30 -------- d-----w- c:\documents and settings\Daniel\Application Data\Windows Search
2009-06-01 08:21 . 2009-06-01 08:21 -------- d-----w- c:\program files\Reference Assemblies
2009-06-01 08:10 . 2009-06-01 08:10 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-01 07:54 . 2006-11-07 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-01 07:54 . 2006-11-07 02:50 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 07:54 . 2006-11-07 03:00 -------- d-----w- c:\program files\ASUS
2009-06-01 07:52 . 2006-11-07 02:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-01 07:11 . 2006-11-07 02:44 -------- d-----w- c:\program files\ASUSTek
2009-06-01 07:03 . 2009-06-01 07:03 546 ----a-w- c:\windows\system32\ABA8JS.DAT
2009-07-18 00:50 . 2009-06-01 08:49 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

------- Sigcheck -------

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-05 03:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 2F8C2B6E052A4C6EC5575EA10F8E5191 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-22_02.07.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-22 23:54 . 2009-07-22 23:54 16384 c:\windows\Temp\Perflib_Perfdata_648.dat
+ 2009-07-22 23:54 . 2009-07-22 23:54 16384 c:\windows\Temp\Perflib_Perfdata_17c.dat
+ 2009-07-22 02:18 . 2009-07-22 02:18 27648 c:\windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
- 2009-07-19 02:38 . 2009-07-19 02:38 27648 c:\windows\Installer\{048298C9-A4D3-490B-9FF9-AB023A9238F3}\Icon048298C91.exe
+ 2009-07-22 02:18 . 2009-07-22 02:18 1098240 c:\windows\Installer\99010.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2009-07-22 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-04-17 110592]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-01 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-21 761945]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-15 90112]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-03 61440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-01 1519616]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MultiFrame.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MultiFrame.lnk
backup=c:\windows\pss\MultiFrame.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"LightScribeService"=2 (0x2)
"idsvc"=3 (0x3)
"cisvc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [6/1/2009 6:34 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/1/2009 6:34 AM 20560]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download all by Net Transport - c:\program files\Xi\NetTransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\Xi\NetTransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\NetLimiter\nl_lsp.dll
Trusted Zone: oanda.com\fxtrade
FF - ProfilePath - c:\documents and settings\Daniel\Application Data\Mozilla\Firefox\Profiles\2sy5vti7.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\Daniel\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 19:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 368 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\program files\NetLimiter\nl_lsp.dll
c:\windows\system32\nl_msgc.dll

- - - - - - - > 'explorer.exe'(2720)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\ATK0100\ATKOSD.exe
.
**************************************************************************
.
Completion time: 2009-07-22 19:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 23:58
ComboFix2.txt 2009-07-22 02:10

Pre-Run: 28,043,795,968 bytes free
Post-Run: 28,016,374,784 bytes free

320 --- E O F --- 2009-06-01 07:58





~~~~~~~~~~~~~~~~~~~~~~~~~~~




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 23, 2009 01:53:10
Records in database: 2516482
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 75625
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:28:38


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP64\A0011063.sys Infected: Trojan.Win32.VB.ste 1
C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP64\A0011067.sys Infected: Trojan-Dropper.Win32.Agent.awen 1
C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP64\A0011071.sys Infected: Trojan-Dropper.Win32.Agent.awen 1
C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP64\A0011092.sys Infected: Trojan-Dropper.Win32.Agent.awen 1
C:\System Volume Information\_restore{163EC41D-096B-4921-9127-82A1522F434F}\RP67\A0011361.sys Infected: Trojan-Dropper.Win32.Agent.awen 1

The selected area was scanned.





~~~~~~~~~~~


New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:18 PM, on 7/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243841178109
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5953 bytes



~~~~~~~~~


Will get rid of Adobe & update Java.

Thanks for the help!

Looks like I've still got some problems...

 

[katana]

Looks like I've still got some problems...

Nope .... The items that Kapersky found will be removed in the final clean up



Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up



Uninstall Combofix

• This will clear your System Volume Information restore points and remove all the infected files that were quarantined
• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • 

OTCleanup
Please download OTCleanup from HERE
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt




You can also delete any logs we have produced, and empty your Recycle bin.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

• 
  AntiSpyware is not the same thing as Antivirus.
  Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
  You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
  Most of the programs in this list have a free (for Home Users ) and paid versions,
  it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• MalwareBytes Anti-malware <<< A New and effective program
• a-squared Free <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

• 
  These programs don't detect malware, they help stop it getting on your machine in the first place.
  Each does a different job, so you can have more than one
• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 4.0
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

• 
  Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
  Using a different web browser can help stop malware getting on your machine.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
       • Change the Download signed ActiveX controls to Prompt
       • Change the Download unsigned ActiveX controls to Disable
       • Change the Initialise and script ActiveX controls not marked as safe to Disable
       • Change the Installation of desktop items to Prompt
       • Change the Launching programs and files in an IFRAME to Prompt
       • Change the Navigate sub-frames across different domains to Prompt
       • When all these settings have been made, click on the OK button.
       • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

• 
  Temporary Internet Files are mainly the files that are downloaded when you open a web page.
  Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
  It is a good idea to empty the Temporary Internet Files folder on a regular basis.
  
  Tracking Cookies are files that websites use to monitor which sites you visit and how often.
  A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
  CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
  
  Both of these can be cleaned manually, but a quicker option is to use a program
• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

 

[dshap]

Thanks so much for your help. My applications that were not working before are now working! Were you able to tell from my logs what the culprit was? How did I get the specific infection that I had? I would really appreciate it if you could let me know if you do know. I read the thread "How did I get this in the first place?"

 

[katana]

1) Were you able to tell from my logs what the culprit was?
2) How did I get the specific infection that I had?

1) It was a common downloader trojan.
2) There is no way of telling, it could have been P2P, or it could just have been a "Hacked" website that contained a malicious link.

 

[katana]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.