Safer-networking.org is blank page

this is new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:03, on 11.6.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ba/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60343
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60343
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://watson.microsoft.com/dw/dcp.asp?CLCID=1033&EXENAME=cli.exe&BRAND=WINDOWS
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Preuzmi odabrano Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Preuzmi sa Free Download Managerom - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Preuzmi sve sa Free Download Manager-om - file://C:\Program Files\Free Download Manager\dlall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AF16863-5FF5-4227-9826-9F34B36E60B6}: NameServer = 85.255.114.51 85.255.112.158
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6989 bytes
 
ok. we will get another download to use. I would suggest reading the guide on another computer that isnt infected if thats possible.
The tool is called Combofix. read the guide, download combofix to your desktop, disable any antivirus and anti-malware that might be running, double click the combofix icon on your desktop and follow the prompts. post the combofix log.

the guide:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
the download links are in the guide.

If you cant download it then we will try something else. Are you able to use another computer for downloading?
 
ComboFix log

ComboFix 09-06-11.06 - Administrator 12.06.2009 18:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.715 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090611-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-05-12 to 2009-06-12 )))))))))))))))))))))))))))))))
.

2009-06-11 21:29 . 2009-06-11 21:29 1915520 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-09 23:01 . 2009-06-09 23:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-09 23:00 . 2009-06-09 23:00 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-07 07:56 . 2009-06-07 07:56 -------- d-----w- c:\program files\Trend Micro
2009-06-04 19:33 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-04 19:33 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-04 19:33 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-04 19:33 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-04 19:33 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-04 19:33 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-04 19:33 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-04 19:33 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-04 19:33 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-04 19:32 . 2009-06-04 19:32 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 16:13 . 2008-02-16 21:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-06-12 16:04 . 2008-04-12 15:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-06-09 23:02 . 2007-10-25 20:22 -------- d-----w- c:\program files\Java
2009-06-08 16:49 . 2009-05-08 22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-04 20:39 . 2008-12-29 17:51 -------- d-----w- c:\program files\WinClamAVShield
2009-05-28 18:47 . 2008-07-11 16:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-05-28 18:19 . 2009-05-12 19:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-05-26 11:20 . 2009-05-08 22:17 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 11:19 . 2009-05-08 22:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-20 22:16 . 2008-01-07 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-05-20 22:12 . 2008-04-12 15:04 -------- d-----w- c:\program files\Spyware Terminator
2009-05-13 19:58 . 2008-02-16 21:01 -------- d-----w- c:\program files\Free Download Manager
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-08 22:17 . 2009-05-08 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-06 21:45 . 2006-10-20 17:08 44112 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-06 20:26 . 2006-10-20 16:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-03 00:33 . 2008-01-01 14:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-02 19:52 . 2009-05-02 19:52 -------- d-----w- c:\program files\MSSOAP
2009-04-18 12:47 . 2006-10-20 17:11 -------- d-----w- c:\program files\Valve
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2002-08-29 01:58 332928 244A2F9816BC9B593957281EF577D976 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2004-08-03 21:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 B4E29943B4B04BD5E7381546848E6669 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe" [2009-05-08 1783808]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Free Download Manager\\fdmwi.exe"=
"c:\\Program Files\\Free Download Manager\\fdm.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4.6.2009 21:33 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [12.4.2008 17:05 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4.6.2009 21:33 20560]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [29.6.2007 16:32 611584]
S2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [23.8.2001 14:00 14336]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\Windows Live\Messenger\usnsvc.exe [18.10.2007 11:31 98328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ba/
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\Free Download Manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\Free Download Manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\Free Download Manager\dlall.htm
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 18:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1801674531-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,42,08,25,11,cc,ca,bd,4b,97,42,24,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-12 18:21
ComboFix-quarantined-files.txt 2009-06-12 16:21

Pre-Run: 27.582.144.512 bytes free
Post-Run: 27.570.438.144 bytes free

157 --- E O F --- 2007-12-21 18:34
 
please be noticed that ComboFix did not instal WRC

I did not have any mesage for instaling Windows Recowery Console (what is that anyway?), I tried to instal it from microsoft web page but is blank.

Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:




ComboFix Recovery Console



At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.




ComboFix Recovery Console Finished



You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.

ComboFix will now disconnect your computer from the Internet
 
hi,

The Windows recovery console is a command line shell for doing certain tasks with out booting fully into the Windows environment.
Did you try installing it by clicking yes to have combofix download it and install if for you? You did not get a message from combofix saying that it wasnt installed?

As for the malware on your machine, we are not making much progress. your web browsing is being redirected, thats why you cant get to certain web pages. Malwarebytes in my past experience is capable of removing this trojan. I dont know why its not removing yours. Combofix also did not remove any malware and i dont recognize any malware in the log.
Its best to remove malware as soon as possible, a infection that drags on for whatever reason is not good. Malware on a machine will "fetch" more malware. I would use the machine as little as possible and when not in use unplug your modem and/or router so there is no network connectivity.

run combofix again and see if you get the message about installing the recovery console.
we will also get another download to use. Its called SDfix, only runs in safe mode. Link and directions for Sdfix:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt in your reply.
 
combofix did not ask me ˝yes˝ or ˝no˝ to instal wrc

I did not have pop up window (ComboFix attach exsample in my pevious message) with question to instal WRC ....

Here below is report of SDfix:


SDFix: Version 1.240
Run by Administrator on sub 13.06.2009 at 17:00

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 17:12:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf]
"DisplayName"="Task Installer"
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"="Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start."

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ekqwsf\Parameters]
"ServiceDll"=str(2):"C:\WINDOWS\system32\itxlf.dll"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C114680B744A0005D9298180F0D60CAD3D25A70C8541869649ADD84179194D58A3486F24F3154BC3AD38340294776C58A93632252D06B65B37EF5E1D50302C958A979C55035424C265F1E94F1CD91F93F5AD5A0D5C22A2BF60DEFE7A4B469A7600113410988645EA9BEF41E769F4F2BC6477053BA95B9AF71A0617D66981436726DDA6EF9C608AABF1DA2A474A124A1EA2004E51E9551EBD7366ED2B4841D3F5046EB9AD96D4E6DDACA56BADD1E55A7E8CEF4494E74FC5A567053D55BB3F48FB284745913E02FE1DB3CD5B1DA3F7F0E71DDBEB0CDC71CFE89155CBD5C43E2F742C8B88040E9F14D9D8779A044168F28297FEC95D58862DB040EEC036A377E50A0D591A935B136F5E9E9AC63A997C84C2A09A0B35114D8FA4B6AF9E3EF74B3F0DF9166B37749EBA6814270194D9CC1D88072900ADE2CD8E75959105E8746C3B785083A40BE24DAAC9996D724A5DE662B2D59045DD3F594331CB2CBBB03DAC3868EE79EB5F9979B5BD80C0CACDC02F3A7A67EDAB6B6FA8DF3F6F0E082E5C41C43E803BABDCB611C0A5B704A9C52097E36D3C604E1C3A91E3F3EAF1380E9FA8AD6F8514A4707209E93323360A4185C6C4213B9856E6851EF35BC333FC67AD51E2E14ED9C84B6D6B85560E83536744878BAB58679314A2905F3B05FD22AB8953D3D061715EA986D54B2DD47400A61FC30947EFC8C41C0C8AEA0CA40CE45F95D20F78E30"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"="C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe:*:Disabled:Ad-Aware SE Personal"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Disabled:DNA"
"C:\\Program Files\\Free Download Manager\\fdmwi.exe"="C:\\Program Files\\Free Download Manager\\fdmwi.exe:*:Disabled:FDM remote control server"
"C:\\Program Files\\Free Download Manager\\fdm.exe"="C:\\Program Files\\Free Download Manager\\fdm.exe:*:Disabled:Free Download Manager"
"C:\\Program Files\\Valve\\hl.exe"="C:\\Program Files\\Valve\\hl.exe:*:Disabled:Half-Life Launcher"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Disabled:Nero Home"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 16 Apr 2007 89,280 A.SHR --- "C:\WINDOWS\system32\itxlf.dll"

Finished!

:thanks:
 
hi,

see if you can locate this .dll in the system32 dir. if so you can upload it to a web site:

itxlf.dll

located here:
C:\WINDOWS\system32 (C:\WINDOWS\system32\itxlf.dll)

you can go to this website, browse for the file on your computer and click the send button to upload it. After the scan is done you can copy/paste the URL (http://....) in your reply.

upload file here:
http://www.virustotal.com/

we will also get another download to use;

Please download: RootRepeal

http://rootrepeal.googlepages.com/RootRepeal.zip

Extract the file to your desktop.
Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply
 
Shelf life

Virustotal.com is blank page.

this file itxfl.dll is 7 years old, I don't think that is a problem...

RootRepeal have some problems, it canot scan files and hidden services...
 
It's ok, just RootRepeal settings - options - disc acsess level i set to high

it's wos on special, so then it can't scan files and hidden services

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/15 20:42
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA91D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D7C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9CE1000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d606

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d05a

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cd3c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1e652

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1ce46

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cf30

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2014c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d8cc

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d362

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2064e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2008c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab200f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2076e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaab2072e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1cbba

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d814

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaac1d494

Hidden Services
-------------------
Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==
 
file itxfl.dll is system file, can't be copyed even in safe mode

file itxfl.dll is active / running even if network connection is broken or in safe mode, this is importand system file, so I can't copyed on desktop or upload here....
 
here is svchost.exe so You can check it on virusvault

Hidden Services
-------------------
Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs


but I don't think that is a virus...:fear:
 
Invalid file, (svchost.exe) can't be uploaded, sorry

svchost.exe

Generic Host Process for Win32 Services

but this file is created long time ago 4. avgust 2004, 0:56:58
 
ok thanks for all the info. Not making any progress. Iam trying hard to find any malware in all your logs. The only clue is you cant get to certain websites and a ip address (fake server)85... in the hjt log. Thats a well known ip range that will redirect webpages, normally its no problem for malwarebytes to remove.

Do you use a router? Its possible the malware could have changed your DNS settings in the router itself, if you are using the default and well know log in/password for the router. Log in to the router and check its DNS settings.

does your antivirus update ok?

we will get another download, DDS:

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool. When done, DDS.txt will open. Save both reports
to your desktop. Copy/paste the first report in your reply. dont post attach.txt.
 
Last edited:
dds 1

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 18:02:11,20 on uto 16.06.2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.1023.674 [GMT 2:00]

AV: avast! antivirus 4.8.1335 [VPS 090615-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ba/
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SpywareTerminator] "c:\progra~1\spywar~1\SpywareTerminatorShield.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
dPolicies-explorer: NoFileUrl = 0 (0x0)
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: I&zvoz u Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Preuzmi odabrano Free Download Manager-om - file://c:\program files\free download manager\dlselected.htm
IE: Preuzmi sa Free Download Managerom - file://c:\program files\free download manager\dllink.htm
IE: Preuzmi sve sa Free Download Manager-om - file://c:\program files\free download manager\dlall.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: google.ba\www
Trusted Zone: live.com \www
Trusted Zone: safer-networking.org\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {7AF16863-5FF5-4227-9826-9F34B36E60B6} = 85.255.114.51 85.255.112.158
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-4 114768]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-4-12 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-4 138680]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-4 352920]
R3 PAC207;i-Look 111;c:\windows\system32\drivers\PFC027.SYS [2007-6-29 611584]
S2 Akamai;Akamai;c:\windows\system32\svchost.exe -k Akamai [2001-8-23 14336]
S2 ekqwsf;Task Installer;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-4 254040]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\windows live\messenger\usnsvc.exe [2007-10-18 98328]

=============== Created Last 30 ================

2009-06-13 16:56 <DIR> --d----- c:\windows\ERUNT
2009-06-13 16:53 <DIR> --d----- C:\SDFix
2009-06-12 21:33 244 a---h--- C:\sqmnoopt01.sqm
2009-06-12 21:33 232 a---h--- C:\sqmdata01.sqm
2009-06-12 18:23 <DIR> --ds---- c:\windows\Cookies
2009-06-12 18:14 161,792 a------- c:\windows\SWREG.exe
2009-06-12 18:14 155,136 a------- c:\windows\PEV.exe
2009-06-12 18:14 98,816 a------- c:\windows\sed.exe
2009-06-10 01:01 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-07 10:45 244 a---h--- C:\sqmnoopt00.sqm
2009-06-07 10:45 232 a---h--- C:\sqmdata00.sqm
2009-06-07 09:56 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2007-04-16 17:52 89,280 a--shr-- c:\windows\system32\itxlf.dll

============= FINISH: 18:03:02,42 ===============
 
dds 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 20.10.2006 17:20:07
System Uptime: 16.6.2009 17:57:02 (1 hours ago)

Motherboard: | | P4X400-8235
Processor: Intel(R) Celeron(R) CPU 2.40GHz | Socket 478 | 2424/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 38 GiB total, 25,539 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2: 12.6.2009 18:32:43 - Kontrolna točka sustava
RP3: 14.6.2009 0:26:04 - Kontrolna točka sustava

==== Installed Programs ======================

ACDSee 10 Photo Manager
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.3
Adobe Shockwave Player
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
avast! Antivirus
CCleaner (remove only)
Counter-Strike 1.6
DNA
Free Download Manager 2.5 Language pack
Glary Utilities 2.2.2.66
HijackThis 2.0.2
i-Look 111
iTunes
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 13
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Nero 8
neroxml
Oblivion
Realtek AC'97 Audio
RTLSetup for Realtek RTL8139/810x Family NIC 3.00
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Skype™ 3.8
Spyware Terminator
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
VCRedistSetup
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows paket jezičnog sučelja
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Windows XP SP2 LIP update
WinRAR archiver
WinZip 11.1

==== Event Viewer Messages From Past Week ========

15.6.2009 21:13:50, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
15.6.2009 21:13:40, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
15.6.2009 20:33:16, error: Server [2505] - The server could not bind to the transport \Device\NetbiosSmb because another computer on the network has the same name. The server could not start.
15.6.2009 13:27:21, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
13.6.2009 16:57:01, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss sp_rsdrv2 Tcpip
13.6.2009 16:57:01, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:57:01, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
13.6.2009 16:56:16, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
13.6.2009 16:56:03, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
13.6.2009 16:56:01, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12.6.2009 18:46:37, error: Service Control Manager [7023] - The Task Installer service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
12.6.2009 18:42:18, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {E8933C4B-2C90-4A04-A677-E958D9509F1A}
12.6.2009 18:15:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
11.6.2009 22:25:36, error: Service Control Manager [7023] - The Akamai service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
 
what You think, Gmer scanning below...

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 23:26:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose [0xAAC1D606]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile [0xAAC1D05A]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey [0xAAC1CD3C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection [0xAAC1E652]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey [0xAAC1CE46]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey [0xAAC1CF30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAA6A14C]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver [0xAAC1D8CC]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile [0xAAC1D362]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAA6A64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAA6A08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAA6A0F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAA6A76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAA6A72E]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey [0xAAC1CBBA]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess [0xAAC1D814]
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile [0xAAC1D494]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00D89DC4
.text C:\WINDOWS\System32\svchost.exe[928] NETAPI32.dll!NetpwPathCanonicalize 5B86A0F9 5 Bytes JMP 00D89D64
.text C:\WINDOWS\System32\svchost.exe[988] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 007F9DC4

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002
IAT C:\WINDOWS\system32\services.exe[612] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ekqwsf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@DisplayName Task Installer
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Type 32
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Start 2
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf@Description Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters
Reg HKLM\SYSTEM\ControlSet003\Services\ekqwsf\Parameters@ServiceDll C:\WINDOWS\system32\itxlf.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6013BED46240E7E816847E01A76B661D583E6AA8CD94DE9705991B1A99C421A6EA7327FAE797D3E68270E7748E83223AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933BA7FD869164D6794A6A0AC4980AC7933FEBC9E127BECC74CA1AAF134A19346334F32F294DF176F45E439A07946096C955CC2981FDCACD795A93CC03AC6446DA4F4C08C2FAED0B094AB670B547AEAEFAC671ED14255AA8DC6969C2F360A1F9B7A80DEAE0A2ACFCB5896B8ECAC0556A72F92EB3CBFF487A0EFE9631B31F225698D8B63F5F2FEA626FEF062BE3CDB9065C880E44C5A17D77012BB69959460DDE1D7C168B121AF6F989E1D642B20446270C4E686AAB8E53750D5B7CDE3B182D2057A63CC612A1543707090FB92D95B970216918F33E4E34108849CF180BA6214C7B84636BD8CD844ED5153AD86CF908147545D0976CCE499D00F3DFC1846D63491FB5088B128791547C0844452C92874E337BD3939C492E35C8582D78CD18E49BE4EFEF1D9C0C95CA465D3C76D753AC9EC1EB62E7401E74BCAA1E5B1733B0CEC1E61E25F8A7E71C72387078C89E530DC6C096539D31C38FD35BC777C16C624C0F4079F84C86FEA845314F7A20A8E4C8F6120F66E389626ABA556DA6E711B8163FA396DD8D0038348BB9B93E505C9A1C6BC2BAC29B6502B8B1C1

---- EOF - GMER 1.0.15 ----:rockon:
 
hi,

ok thanks for all the info.GMER was going to be next. Iam not familiar with that rootkit, it was back in the rootrepeal log:

Service Name: ekqwsf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

now the bad news; root kits can hide from traditional malware tools as all this posting shows. Once a machine as been compromised to this extent the best thing to do is reformat/reinstall windows. the machine can no longer be trusted.

this MS advice is from 2004 but is still true:
http://technet.microsoft.com/en-us/library/cc512587.aspx
 
You must log in or register to reply here.
Back
Top