Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Connection Hijacked


  • This topic is locked This topic is locked
14 replies to this topic

#1 wilkobradford

wilkobradford

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 08 February 2009 - 05:30 AM

Hi,

My internet connection goes off after around 5 minutes. Tried lots of different Spyware/Malware progs but nothing resolves the problem.

Any help greatly appreciated.

Hijack This log as follows:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:00, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bradfordcityfc.premiumtv.co.uk/...,,10266,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bradfordcityfc.premiumtv.co.uk/...,,10266,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56071E0D-C61B-11D3-B41C-00E02927A304} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk.disabled
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 5235 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 14 February 2009 - 08:04 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Download and Run DDS
If you already have a copy of DDS, there is no need to download a new one.

DDS is a tool that gives us a general overview of the condition of your machine.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 04:29 AM

Thanks Panda,

--------------

DDS log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Kieran Wilkinson at 9:01:47.55 on 15/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.139 [GMT 0:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Safari\Safari.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Documents and Settings\Kieran Wilkinson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bradfordcityfc.premiumtv.co.uk/page/Home/0,,10266,00.html
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.bradfordcityfc.premiumtv.co.uk/page/Home/0,,10266,00.html
mSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {56071E0D-C61B-11D3-B41C-00E02927A304} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [PCguard] "c:\program files\virgin broadband\pcguard\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\virgin broadband\pcguard\ZkRunOnceR.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\documents and settings\all users.windows\start menu\programs\startup\blueyonder Instant Support Tool.lnk.disabled
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38186.4926041667
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2006-5-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-23 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2006-3-16 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-11-16 10760]
R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-25 419448]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2005-12-7 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2005-10-23 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avgfre~1\avgemc.exe [2006-11-16 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2006-11-16 4960]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2003-3-31 5120]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-02-11 20:38 <DIR> --d----- c:\program files\HeavenWard
2009-02-11 03:00 <DIR> --d-h--- c:\windows\$hf_mig$
2009-02-07 22:20 512,686 a------- C:\HaxFix.exe
2009-02-07 22:20 <DIR> --d----- C:\HaxFix
2009-02-07 21:39 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-07 16:44 2,050 a------- c:\windows\system32\tmp.reg
2009-02-05 20:44 <DIR> --d----- c:\program files\XoftSpySE
2009-02-01 18:15 <DIR> --d----- c:\program files\Raxco
2009-02-01 17:50 53,192 a------- c:\windows\system32\drivers\rp_skt32.sys
2009-02-01 17:49 48,384 a------- c:\windows\system32\drivers\rp_pkt32.sys
2009-02-01 17:49 <DIR> --d----- c:\program files\common files\Authentium
2009-02-01 17:48 <DIR> --d----- c:\program files\CA
2009-02-01 17:47 <DIR> --d----- c:\program files\common files\Scanner
2009-02-01 17:25 <DIR> --d----- c:\docume~1\kieran~1\applic~1\Virgin Broadband
2009-02-01 17:24 <DIR> --d----- c:\program files\Virgin Broadband
2009-02-01 17:24 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Virgin Broadband
2009-02-01 13:26 72,192 ac------ c:\windows\system32\dllcache\sprio800.dll
2009-02-01 13:26 70,656 ac------ c:\windows\system32\dllcache\sprio600.dll
2009-02-01 13:26 72,192 a------- c:\windows\system32\sprio800.dll
2009-02-01 13:26 70,656 a------- c:\windows\system32\sprio600.dll
2009-02-01 13:05 159,744 a------- c:\windows\system32\hasher.dll
2009-02-01 13:05 <DIR> --d----- c:\program files\Trisnap Technologies
2009-01-31 21:19 <DIR> --d----- c:\program files\Wise Registry Cleaner 3
2009-01-31 20:29 <DIR> --d----- c:\program files\RegistryFix7
2009-01-31 11:55 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-31 11:55 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-31 11:55 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-31 11:55 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-31 11:52 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 11:50 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Soulseek
2009-01-26 21:35 <DIR> --d----- c:\docume~1\kieran~1\applic~1\Malwarebytes
2009-01-26 21:35 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-26 21:35 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 21:35 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-01-26 21:35 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 19:28 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 22:20 <DIR> --d----- c:\program files\a-squared Free
2009-01-25 21:45 <DIR> --d----- C:\temp
2009-01-25 21:44 <DIR> --d----- c:\program files\common files\supportsoft
2009-01-18 18:47 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2009-01-18 18:46 <DIR> --d----- c:\program files\Security Task Manager
2009-01-18 16:04 4,608 a--sh--- c:\windows\system32\Thumbs.db

==================== Find3M ====================

2008-12-20 23:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-12 00:57 78,336 a------- c:\windows\system32\Agent.OMZ.Fix.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2004-07-10 18:07 56 ---shr-- c:\windows\system32\33AFB556FE.sys
2008-09-24 20:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat

============= FINISH: 9:03:01.37 ===============


Attach log attached

-------------------------

Unfortunately gmer is crashing my PC every time I use it (both in Normal Mode and Safe Mode) - any suggestions?

-------------------------

Symptoms are the same as before. Only changes to my system are that I've uninstalled a few programs and tried a few more Malware scans.

Thanks,

wilkobradford

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 15 February 2009 - 10:10 AM

Hello.

From what I see in the DDS log, you appear clean.

Please tell me how GMER crashes. Do you get a BSOD?
----
Let's try Avira Anti Rootkit

Download and Run Avira AntiRootkit
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop. Right click it and select Extract All. Delete the .zip file after extraction.
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe, then Next.
  • Highlight the radio button to accept the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish You may now also delete the folder with the extracted files from the zip archive).
You successfully installed Avira AntiRootkit
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run. Be patient and the scan finishes.
  • Click View report and copy the entire contents into your next reply.
Do not choose to rename any items found yet. There may be false positives.

WIth Regards,
The Panda

#5 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 11:06 AM

Hi,

Yes - BSOD partway through the scan when using GMER.

--------------------------------------------

Avira Anti-Rootkit Log:

Avira AntiRootkit Tool - Beta (1.0.1.17)

========================================================================================================
- Scan started 15 February 2009 - 15:45:14
========================================================================================================

--------------------------------------------------------------------------------------------------------
Configuration:
--------------------------------------------------------------------------------------------------------
- [X] Scan files
- [X] Scan registry
- [X] Scan processes
- [ ] Fast scan
- Working disk total size : 114.49 GB
- Working disk free size : 38.61 GB (33 %)
--------------------------------------------------------------------------------------------------------

Results:
Hidden value : HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Buhl Data Service\On4u2\nanoPEG-MPEG2\ExtData -> offlinekey
Hidden value : HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Buhl Data Service\On4u2\nanoPEG-MPEG2\ExtData -> inittime
Hidden value : HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Buhl Data Service\On4u2\nanoPEG-MPEG2\ExtData -> lasttime
Hidden key : HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1214440339-299502267-725345543-1004\data
Hidden value : HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Microsoft\Protected Storage System Provider\S-1-5-21-1214440339-299502267-725345543-1004 -> migrate

--------------------------------------------------------------------------------------------------------
Files: 0/103007
Registry items: 5/466783
Processes: 0/42
Scan time: 00:18:25
--------------------------------------------------------------------------------------------------------
Active processes:
- pzivocbf.exe (PID 3300) (Avira AntiRootkit Tool - Beta)
- ssmypics.scr (PID 3820)
- System (PID 4)
- smss.exe (PID 516)
- csrss.exe (PID 572)
- winlogon.exe (PID 596)
- services.exe (PID 644)
- lsass.exe (PID 656)
- svchost.exe (PID 812)
- svchost.exe (PID 872)
- MsMpEng.exe (PID 960)
- svchost.exe (PID 1040)
- Fws.exe (PID 1076)
- explorer.exe (PID 1284)
- spoolsv.exe (PID 1508)
- a2service.exe (PID 1572)
- AppleMobileDeviceService.exe (PID 1592)
- avgamsvr.exe (PID 1620)
- avgupsvc.exe (PID 1704)
- avgemc.exe (PID 1732)
- dvpapi.exe (PID 1792)
- eEBSvc.exe (PID 1812)
- SAgent2.exe (PID 1832)
- nvsvc32.exe (PID 1864)
- svchost.exe (PID 1944)
- wdfmgr.exe (PID 1956)
- MsPMSPSv.exe (PID 1984)
- alg.exe (PID 1652)
- avgcc.exe (PID 2428)
- iTunesHelper.exe (PID 2448)
- MSASCui.exe (PID 2468)
- Broadbandadvisor.exe (PID 2504)
- RPS.exe (PID 2516)
- TeaTimer.exe (PID 2636)
- EasyShare.exe (PID 2880)
- iPodService.exe (PID 3332)
- BroadbandadvisorComHandler.exe (PID 3944)
- rpsupdaterR.exe (PID 4032)
- sol.exe (PID 3500)
- Safari.exe (PID 3188)
- explorer.exe (PID 896)
- avirarkd.exe (PID 2716)
========================================================================================================
- Scan finished 15 February 2009 - 16:03:40
========================================================================================================

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 15 February 2009 - 11:27 AM

Hello.

Your AVG7 is outdated. Please uninstall it using Add/Remove Programs.

Then, install a new antivirus:After installing, update the database, run a full system scan and remove any items found.

Any changes in the connection issue?

With Regards,
The Panda

#7 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 03:59 PM

Hi,

Have uninstalled AVG but when restarting cannot get a connection for long enough to d/l any of the anti-virus programs.

Have done a scan with the anti-virus program that came with my broadband (Virgin Broadband PC Guard). This has come up with two infected files but says it cannot delete them. The names of the files are various.mbx (listed as a HTML/Frame virus) and trash.mbx (listed as HTML/patch.a). This anti-virus program was updated in the past few days, I think.

One other thing I noticed when using Internet Explorer (I normally use Safari) is that the option to search via Google in the toolbar redirects to a site called http://www.searchgateway.net. Anything to worry about?

Thanks in advance,

wilkobradford

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 15 February 2009 - 04:07 PM

Hello.

Let's see what we can find.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
In your next reply include:
-the ComboFix log

With Regards,
The Panda

#9 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 04:54 PM

Log as below:-

ComboFix 09-02-14.01 - Kieran Wilkinson 2009-02-15 21:40:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.222 [GMT 0:00]
Running from: c:\documents and settings\Kieran Wilkinson\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated)
FW: PCguard Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-15 15:41 . 2009-02-15 15:41 <DIR> d-------- c:\program files\Avira GmbH
2009-02-15 09:05 . 2009-02-15 09:15 250 --a------ c:\windows\gmer.ini
2009-02-11 21:19 . 2009-02-11 21:19 <DIR> d-------- C:\ERDNT
2009-02-11 20:38 . 2009-02-11 20:38 <DIR> d-------- c:\program files\HeavenWard
2009-02-11 03:01 . 2009-02-11 03:01 1,374 --a------ c:\windows\imsins.BAK
2009-02-11 03:00 . 2009-02-14 20:12 <DIR> d--h----- c:\windows\$hf_mig$
2009-02-07 22:20 . 2009-02-11 21:18 <DIR> d-------- C:\HaxFix
2009-02-07 22:20 . 2009-02-07 22:19 512,686 --a------ C:\HaxFix.exe
2009-02-07 21:39 . 2009-02-07 21:39 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-07 17:45 . 2009-02-15 16:57 <DIR> d-------- c:\documents and settings\Administrator.KIERAN
2009-02-05 20:44 . 2009-02-05 20:44 <DIR> d-------- c:\program files\XoftSpySE
2009-02-01 18:15 . 2009-02-01 18:15 <DIR> d-------- c:\program files\Raxco
2009-02-01 18:15 . 2009-02-01 18:15 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Raxco
2009-02-01 17:50 . 2009-02-01 18:14 53,192 --a------ c:\windows\system32\drivers\rp_skt32.sys
2009-02-01 17:49 . 2009-02-01 17:49 <DIR> d-------- c:\program files\Common Files\Authentium
2009-02-01 17:49 . 2007-04-19 11:36 48,384 --a------ c:\windows\system32\drivers\rp_pkt32.sys
2009-02-01 17:48 . 2009-02-01 17:48 <DIR> d-------- c:\program files\CA
2009-02-01 17:47 . 2009-02-01 17:48 <DIR> d-------- c:\program files\Common Files\Scanner
2009-02-01 17:25 . 2009-02-01 17:51 <DIR> d-------- c:\documents and settings\Kieran Wilkinson\Application Data\Virgin Broadband
2009-02-01 17:24 . 2009-02-01 17:46 <DIR> d-------- c:\program files\Virgin Broadband
2009-02-01 17:24 . 2009-02-01 17:46 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Virgin Broadband
2009-02-01 13:26 . 2001-08-17 22:36 72,192 --a------ c:\windows\system32\sprio800.dll
2009-02-01 13:26 . 2001-08-17 22:36 72,192 --a--c--- c:\windows\system32\dllcache\sprio800.dll
2009-02-01 13:26 . 2001-08-17 22:36 70,656 --a------ c:\windows\system32\sprio600.dll
2009-02-01 13:26 . 2001-08-17 22:36 70,656 --a--c--- c:\windows\system32\dllcache\sprio600.dll
2009-02-01 13:05 . 2009-02-01 13:05 <DIR> d-------- c:\program files\Trisnap Technologies
2009-02-01 13:05 . 2006-04-13 22:05 159,744 --a------ c:\windows\system32\hasher.dll
2009-02-01 11:18 . 2009-02-07 21:50 <DIR> d-a------ c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-01-31 21:19 . 2009-02-07 21:50 <DIR> d-------- c:\program files\Wise Registry Cleaner 3
2009-01-31 20:29 . 2009-02-07 21:50 <DIR> d-------- c:\program files\RegistryFix7
2009-01-31 11:55 . 2009-01-31 11:55 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-31 11:55 . 2009-01-31 11:55 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-31 11:55 . 2009-01-31 11:55 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-31 11:55 . 2009-01-31 11:55 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-31 11:52 . 2009-01-31 11:52 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-31 11:50 . 2009-01-31 11:50 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Soulseek
2009-01-26 21:35 . 2009-01-31 11:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 21:35 . 2009-01-26 21:35 <DIR> d-------- c:\documents and settings\Kieran Wilkinson\Application Data\Malwarebytes
2009-01-26 21:35 . 2009-01-26 21:35 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-01-26 21:35 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 21:35 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 19:28 . 2009-01-26 19:28 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 22:20 . 2009-02-07 20:53 <DIR> d-------- c:\program files\a-squared Free
2009-01-25 21:45 . 2009-01-25 21:45 <DIR> d-------- C:\temp
2009-01-25 21:44 . 2009-01-31 11:55 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-01-25 17:14 . 2009-01-31 11:55 <DIR> d-------- c:\program files\Windows Defender
2009-01-18 18:47 . 2009-01-31 10:38 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
2009-01-18 18:46 . 2009-01-31 10:38 <DIR> d-------- c:\program files\Security Task Manager
2009-01-18 16:04 . 2009-02-07 21:07 4,608 --ahs---- c:\windows\system32\Thumbs.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-15 21:46 996,147 ----a-w c:\windows\system32\drivers\RemoveAny.log
2009-02-15 15:41 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 21:49 --------- d-----w c:\program files\Google
2009-02-01 17:56 --------- d-----w c:\program files\blueyonder
2009-01-31 11:55 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-31 11:55 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-01-31 11:53 --------- d-----w c:\program files\iTunes
2009-01-31 11:53 --------- d-----w c:\program files\iPod
2009-01-31 11:53 --------- d-----w c:\program files\Common Files\Apple
2009-01-31 11:53 --------- d-----w c:\program files\Bonjour
2009-01-31 11:52 --------- d-----w c:\program files\QuickTime
2009-01-31 11:51 --------- d-----w c:\program files\Safari
2009-01-31 11:51 --------- d-----w c:\documents and settings\Kieran Wilkinson\Application Data\uTorrent
2009-01-31 11:36 --------- d-----w c:\documents and settings\Kieran Wilkinson\Application Data\foobar2000
2004-07-10 18:07 56 --sh--r c:\windows\system32\33AFB556FE.sys
2008-09-24 20:40 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-12-18 3022848]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk.disabled [2006-03-11 1762]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5\\0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kieran Wilkinson^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=c:\windows\pss\MagicDisc.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mini DCI Hunt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Startup Manager Scanner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2005-12-10 14:57 133016 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-09-22 09:05 438359 c:\progra~1\BLUEYO~1\SMARTB~1\blueyonder-istnotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
-ra------ 2003-12-18 02:28 3022848 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
-ra------ 2003-12-18 02:28 753664 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"TUWinStylerThemeSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Bonjour Service"=2 (0x2)
"rpcapd"=3 (0x3)
"RemoteAccess"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"gusvc"=3 (0x3)
"Dot3svc"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"BITS"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NVMCTRAY.DLL,NvTaskbarInit
"RegistryMechanic"=c:\program files\Registry Mechanic\RegMech.exe /H

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Kieran Wilkinson\\Desktop\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-10-30 11264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\system32\dllhost.exe [2003-03-31 5120]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe []

2009-02-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-02-15 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-04 17:16]

2009-02-10 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-02-04 17:16]
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{2D7E38A6-A604-45AE-9A87-4F5F25760650} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bradfordcityfc.premiumtv.co.uk/page/Home/0,,10266,00.html
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.bradfordcityfc.premiumtv.co.uk/page/Home/0,,10266,00.html
mSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 21:45:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1214440339-299502267-725345543-1004\Software\Buhl Data Service\On4u2\nanoPEG-MPEG2\ExtData*]
"OfflineKey"="f2il02yz+PoZfjShe/bLtuIDuYUBXeXUSWODhqNUumv3oOlHB49Ggag/Ux9ZDvEsiVq2jZf5MtEwG1zPn9Y5ZBlCRpLjQq0IeZD6YM6DUSL1Dw5ezTED+76pG/fTcdTwjkqgXOjaQbpdV8YRoc63RmtiKTSgHEyoOcOz9SiTTdg92YVZUHJlvDxvG9i2mzXwmpTt612YFze6fgeLiJykSA==VrucDNcYMhmPayVKXsfLIdOQkMGqiA0keZ9F5JbfKDeg/lQgj/57bChsVTvMte7/qDJdzroqRy3RDG67GPuKOw=="
"InitTime"=dword:0000953f
"LastTime"=dword:00009556
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\program files\a-squared Free\a2service.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
c:\program files\Virgin Broadband\PCguard\rpsupdaterR.exe
.
**************************************************************************
.
Completion time: 2009-02-15 21:52:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-15 21:52:08
ComboFix2.txt 2007-10-19 20:23:03

Pre-Run: 41,498,652,672 bytes free
Post-Run: 41,585,180,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

284 --- E O F --- 2009-02-15 08:56:54

-----------------------

Thanks,

wilkobradford

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 15 February 2009 - 05:29 PM

Hello.

Is the issue still occuring?

With Regards,
The Panda

#11 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 05:38 PM

I'm afraid so.

Getting about ten minutes or so connection and then nothing (unplugging the modem and plugging it in again gives me another ten mins but I'm assured by my service provider that it's not a fault with the modem).

Wilkobradford

#12 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 05:43 PM

Actually - hold that thought. It DOES seem to be staying connected for longer.

I'll update tomorrow when I've given it some time.

#13 wilkobradford

wilkobradford
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 15 February 2009 - 05:52 PM

false alarm - I'm still experiencing exactly the same problem.

wilkobradford

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 16 February 2009 - 01:40 PM

Hello.

This does not appear to be caused by malware. Usually, in that case, you connection would be gone completely, or you would be blocked from accessing security sites.

I would suggest you start a topic in the Internet & Networking forums. Include a link back to this topic.

With Regards,
The Panda

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 PM

Posted 25 February 2009 - 03:39 PM

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users