Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected svchost.exe,Win32,Java,trojans, too many to list !


  • This topic is locked This topic is locked
9 replies to this topic

#1 shred1970

shred1970

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 20 January 2011 - 12:55 AM

Hello and thank you for reading this. I use a home pc that is shared by several users. I suspect my teenage son managed to fill up my pc with virusus. Turned it on to surf the net and found that I could not connect to my homepage. A small icon appeared in the system tray "windows virus scanner has detected a threat on your pc" and a "scan" appeared which I could stop but would reappeared after 30 seconds or so, the whole lot looked suspect and definately not from windows. I could not connect to any site apart from the one where I was being directed to by the "windows" system tray icon and scan. I ran Avast anti-virus (free version) and it found no problems. Then the anti virus itself started packing it in. I removed it, reinstalled and updated it and did a scan on boot. Here are the names of the items it found ( there were multiple ) of some.

Win32:Rootkit-gen [Rtk]
Win32:Kryptik-YG [Trj]
Java:Agent-BT [Trj]
Java:Jade-A [Heur]
Java:Agent-BW [Trj]
Win32:Malware-gen
Win32:Kryptik-YG [Trj]
Java:Jade-C [Heur]

I had already started deleting Java files and I had also found that I couldn't delete some old spyware removal programs such as spybot, ( I had also found there were other known files that were in the spybot folder ???? )
After the scan I have found that I can now use the internet but it IE is unstable and Avast is constantly popping up with some threat or another. Also new windows open up to sites that I have not clicked on or there is no link to from the current page I'm on such as Facebook. Feels like browser hyjacking. At the moment I don't recall any other info that may help however I do have the DDS notepad log and the attachment. I do not know if my pc is 32 or 64 bit so left that alone. All I do know is that its Windows xp home service pack 3( 2002 ) edition.

Thank you so much for your time :crazy:



DDS (Ver_10-12-12.02) - NTFSx86
Run by Music at 14:46:40.43 on Thu 20/01/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.383.129 [GMT 10:00]

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Music\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
mWinlogon: UIHost=%SystemRoot%\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: DVDVideoSoftTB Toolbar: {872b5b88-9db5-4310-bdd0-ac189557e5f5} - c:\program files\dvdvideosofttb\tbDVD2.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr .exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\voobys.lnk - c:\windows\installer\{b72257d6-189d-4cb0-9cdc-26a93536c34b}\_16496df1.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2005-10-15 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2005-10-15 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-1-19 294608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [2007-4-26 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [2007-4-26 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-1-19 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-19 40384]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\sunbelt software\personal firewall\kpf4ss.exe [2007-4-26 1234480]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2010-3-24 16896]
RUnknown szkg5;szkg5; [x]
RUnknown szkgfs;szkgfs; [x]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2010-3-25 23096]
S3 PID_400C;Video Blaster WebCam 5 (WDM);c:\windows\system32\drivers\Pd100Vid.sys [2006-11-10 336617]
UnknownUnknown is3srv;is3srv; [x]

=============== Created Last 30 ================

2011-01-20 02:55:49 -------- d-----w- c:\program files\common files\iS3
2011-01-20 02:55:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2011-01-19 09:33:16 38848 ----a-w- c:\windows\avastSS.scr
2011-01-19 07:16:45 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-19 07:16:45 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-06 07:43:57 -------- d-----w- c:\docume~1\music\applic~1\TuneUp Software

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-15 08:07:20 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-05-28 03:46:06 816736 ----a-w- c:\program files\Norton_Removal_Tool.exe
2005-03-31 12:17:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: IC35L040AVVA07-0 rev.VA2OA51A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83644735]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8364a990]; MOV EAX, [0x8364aa0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8378F280]
3 CLASSPNP[0xF7719FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83796F18]
\Driver\atapi[0x8376AA48] -> IRP_MJ_CREATE -> 0x83644735
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskIC35L040AVVA07-0________________________VA2OA51A#5&b1800df&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8364457B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:49:18.71 ===============

Attached Files


Edited by shred1970, 20 January 2011 - 01:12 AM.

" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 20 January 2011 - 08:19 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.




Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 23 January 2011 - 12:20 AM

Wow thanks for your fast response. Here are the logs :thumbup2: Thanks again for your help.

12:13:46:892 3076 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
12:13:46:892 3076 ================================================================================
12:13:46:892 3076 SystemInfo:

12:13:46:892 3076 OS Version: 5.1.2600 ServicePack: 3.0
12:13:46:892 3076 Product type: Workstation
12:13:46:892 3076 ComputerName: WAZZA
12:13:46:892 3076 UserName: Music
12:13:46:892 3076 Windows directory: C:\WINDOWS
12:13:46:892 3076 Processor architecture: Intel x86
12:13:46:892 3076 Number of processors: 1
12:13:46:892 3076 Page size: 0x1000
12:13:46:892 3076 Boot type: Normal boot
12:13:46:892 3076 ================================================================================
12:13:46:892 3076 UnloadDriverW: NtUnloadDriver error 2
12:13:46:892 3076 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:13:46:908 3076 Initialize success
12:13:46:908 3076
12:13:46:908 3076 Scanning Services ...
12:13:46:908 3076 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:13:46:908 3076 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:46:908 3076 wfopen_ex: Trying to KLMD file open
12:13:46:908 3076 wfopen_ex: File opened ok (Flags 2)
12:13:46:908 3076 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:13:46:908 3076 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:46:908 3076 wfopen_ex: Trying to KLMD file open
12:13:46:908 3076 wfopen_ex: File opened ok (Flags 2)
12:13:47:345 3076 GetAdvancedServicesInfo: Raw services enum returned 346 services
12:13:47:345 3076 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:13:47:345 3076 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:13:47:345 3076
12:13:47:345 3076 Scanning Kernel memory ...
12:13:47:361 3076 Devices to scan: 4
12:13:47:361 3076
12:13:47:361 3076 Driver Name: Disk
12:13:47:361 3076 IRP_MJ_CREATE : F76EFBB0
12:13:47:361 3076 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:13:47:361 3076 IRP_MJ_CLOSE : F76EFBB0
12:13:47:361 3076 IRP_MJ_READ : F76E9D1F
12:13:47:361 3076 IRP_MJ_WRITE : F76E9D1F
12:13:47:361 3076 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:13:47:361 3076 IRP_MJ_SET_INFORMATION : 804FA88E
12:13:47:361 3076 IRP_MJ_QUERY_EA : 804FA88E
12:13:47:361 3076 IRP_MJ_SET_EA : 804FA88E
12:13:47:361 3076 IRP_MJ_FLUSH_BUFFERS : F76EA2E2
12:13:47:361 3076 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:13:47:361 3076 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:13:47:361 3076 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:13:47:361 3076 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:13:47:361 3076 IRP_MJ_DEVICE_CONTROL : F76EA3BB
12:13:47:361 3076 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76EDF28
12:13:47:361 3076 IRP_MJ_SHUTDOWN : F76EA2E2
12:13:47:361 3076 IRP_MJ_LOCK_CONTROL : 804FA88E
12:13:47:361 3076 IRP_MJ_CLEANUP : 804FA88E
12:13:47:361 3076 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:13:47:361 3076 IRP_MJ_QUERY_SECURITY : 804FA88E
12:13:47:361 3076 IRP_MJ_SET_SECURITY : 804FA88E
12:13:47:361 3076 IRP_MJ_POWER : F76EBC82
12:13:47:361 3076 IRP_MJ_SYSTEM_CONTROL : F76F099E
12:13:47:361 3076 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:13:47:361 3076 IRP_MJ_QUERY_QUOTA : 804FA88E
12:13:47:361 3076 IRP_MJ_SET_QUOTA : 804FA88E
12:13:47:377 3076 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
12:13:47:377 3076 sion
12:13:47:377 3076 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:13:47:377 3076
12:13:47:377 3076 Driver Name: USBSTOR
12:13:47:377 3076 IRP_MJ_CREATE : F7A8E218
12:13:47:377 3076 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:13:47:377 3076 IRP_MJ_CLOSE : F7A8E218
12:13:47:377 3076 IRP_MJ_READ : F7A8E23C
12:13:47:377 3076 IRP_MJ_WRITE : F7A8E23C
12:13:47:377 3076 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:13:47:377 3076 IRP_MJ_SET_INFORMATION : 804FA88E
12:13:47:377 3076 IRP_MJ_QUERY_EA : 804FA88E
12:13:47:377 3076 IRP_MJ_SET_EA : 804FA88E
12:13:47:377 3076 IRP_MJ_FLUSH_BUFFERS : 804FA88E
12:13:47:377 3076 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:13:47:377 3076 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:13:47:377 3076 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:13:47:377 3076 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:13:47:377 3076 IRP_MJ_DEVICE_CONTROL : F7A8E180
12:13:47:377 3076 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7A899E6
12:13:47:377 3076 IRP_MJ_SHUTDOWN : 804FA88E
12:13:47:377 3076 IRP_MJ_LOCK_CONTROL : 804FA88E
12:13:47:377 3076 IRP_MJ_CLEANUP : 804FA88E
12:13:47:377 3076 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:13:47:377 3076 IRP_MJ_QUERY_SECURITY : 804FA88E
12:13:47:377 3076 IRP_MJ_SET_SECURITY : 804FA88E
12:13:47:377 3076 IRP_MJ_POWER : F7A8D5F0
12:13:47:377 3076 IRP_MJ_SYSTEM_CONTROL : F7A8BA6E
12:13:47:377 3076 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:13:47:377 3076 IRP_MJ_QUERY_QUOTA : 804FA88E
12:13:47:377 3076 IRP_MJ_SET_QUOTA : 804FA88E
12:13:47:392 3076 siohd: 0
12:13:47:392 3076 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
12:13:47:392 3076
12:13:47:392 3076 Driver Name: Disk
12:13:47:392 3076 IRP_MJ_CREATE : F76EFBB0
12:13:47:392 3076 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
12:13:47:392 3076 IRP_MJ_CLOSE : F76EFBB0
12:13:47:392 3076 IRP_MJ_READ : F76E9D1F
12:13:47:392 3076 IRP_MJ_WRITE : F76E9D1F
12:13:47:392 3076 IRP_MJ_QUERY_INFORMATION : 804FA88E
12:13:47:392 3076 IRP_MJ_SET_INFORMATION : 804FA88E
12:13:47:392 3076 IRP_MJ_QUERY_EA : 804FA88E
12:13:47:392 3076 IRP_MJ_SET_EA : 804FA88E
12:13:47:392 3076 IRP_MJ_FLUSH_BUFFERS : F76EA2E2
12:13:47:392 3076 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
12:13:47:392 3076 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
12:13:47:392 3076 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
12:13:47:392 3076 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
12:13:47:392 3076 IRP_MJ_DEVICE_CONTROL : F76EA3BB
12:13:47:392 3076 IRP_MJ_INTERNAL_DEVICE_CONTROL : F76EDF28
12:13:47:392 3076 IRP_MJ_SHUTDOWN : F76EA2E2
12:13:47:392 3076 IRP_MJ_LOCK_CONTROL : 804FA88E
12:13:47:392 3076 IRP_MJ_CLEANUP : 804FA88E
12:13:47:392 3076 IRP_MJ_CREATE_MAILSLOT : 804FA88E
12:13:47:392 3076 IRP_MJ_QUERY_SECURITY : 804FA88E
12:13:47:392 3076 IRP_MJ_SET_SECURITY : 804FA88E
12:13:47:392 3076 IRP_MJ_POWER : F76EBC82
12:13:47:392 3076 IRP_MJ_SYSTEM_CONTROL : F76F099E
12:13:47:392 3076 IRP_MJ_DEVICE_CHANGE : 804FA88E
12:13:47:392 3076 IRP_MJ_QUERY_QUOTA : 804FA88E
12:13:47:392 3076 IRP_MJ_SET_QUOTA : 804FA88E
12:13:47:392 3076 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
12:13:47:392 3076 sion
12:13:47:392 3076 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:13:47:392 3076
12:13:47:392 3076 Driver Name: atapi
12:13:47:392 3076 IRP_MJ_CREATE : 8274E5B8
12:13:47:392 3076 IRP_MJ_CREATE_NAMED_PIPE : 8274E5B8
12:13:47:392 3076 IRP_MJ_CLOSE : 8274E5B8
12:13:47:392 3076 IRP_MJ_READ : 8274E5B8
12:13:47:392 3076 IRP_MJ_WRITE : 8274E5B8
12:13:47:392 3076 IRP_MJ_QUERY_INFORMATION : 8274E5B8
12:13:47:392 3076 IRP_MJ_SET_INFORMATION : 8274E5B8
12:13:47:392 3076 IRP_MJ_QUERY_EA : 8274E5B8
12:13:47:392 3076 IRP_MJ_SET_EA : 8274E5B8
12:13:47:392 3076 IRP_MJ_FLUSH_BUFFERS : 8274E5B8
12:13:47:392 3076 IRP_MJ_QUERY_VOLUME_INFORMATION : 8274E5B8
12:13:47:392 3076 IRP_MJ_SET_VOLUME_INFORMATION : 8274E5B8
12:13:47:392 3076 IRP_MJ_DIRECTORY_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_FILE_SYSTEM_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_DEVICE_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_SHUTDOWN : 8274E5B8
12:13:47:392 3076 IRP_MJ_LOCK_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_CLEANUP : 8274E5B8
12:13:47:392 3076 IRP_MJ_CREATE_MAILSLOT : 8274E5B8
12:13:47:392 3076 IRP_MJ_QUERY_SECURITY : 8274E5B8
12:13:47:392 3076 IRP_MJ_SET_SECURITY : 8274E5B8
12:13:47:392 3076 IRP_MJ_POWER : 8274E5B8
12:13:47:392 3076 IRP_MJ_SYSTEM_CONTROL : 8274E5B8
12:13:47:392 3076 IRP_MJ_DEVICE_CHANGE : 8274E5B8
12:13:47:392 3076 IRP_MJ_QUERY_QUOTA : 8274E5B8
12:13:47:392 3076 IRP_MJ_SET_QUOTA : 8274E5B8
12:13:47:423 3076 ihd: 0, 0, 0, 0, 0, 0, 0
12:13:47:423 3076 siohd: 0
12:13:47:423 3076 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
12:13:47:423 3076
12:13:47:423 3076 Completed
12:13:47:423 3076
12:13:47:423 3076 Results:
12:13:47:423 3076 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:13:47:423 3076 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:13:47:423 3076 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:13:47:423 3076
12:13:47:423 3076 KLMD(ARK) unloaded successfully


ComboFix 11-01-22.02 - Music 23/01/2011 14:46:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.383.127 [GMT 10:00]
Running from: c:\documents and settings\Music\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Enabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\charlie\Application Data\PriceGong
c:\documents and settings\charlie\Application Data\PriceGong\Data\1.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\a.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\b.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\c.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\d.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\e.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\f.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\g.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\h.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\i.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\J.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\k.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\l.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\m.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\n.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\o.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\p.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\q.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\r.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\s.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\t.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\u.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\v.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\w.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\x.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\y.xml
c:\documents and settings\charlie\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Music\Application Data\PriceGong
c:\documents and settings\Music\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Music\Application Data\PriceGong\Data\z.xml
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\007fe149-a8cd-4c7f-94a0-64b4f71648a1.cab
c:\windows\Downloaded Program Files\ODCTOOLS\1008c0cc-eeb5-4b5d-b09d-95caf076251b.cab
c:\windows\Downloaded Program Files\ODCTOOLS\632a73e1-8239-4697-8784-dd99c3138805.cab
c:\windows\Downloaded Program Files\ODCTOOLS\8ae2367a-833a-4bb7-b3dc-a2283f56f11b.cab
c:\windows\Downloaded Program Files\ODCTOOLS\b39da91d-a370-47a2-b2e7-912d5868de5d.cab
c:\windows\system\Pd100Ex.ax
c:\windows\system\Pd100Ex.dll
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\Data
c:\windows\system32\muzapp.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-12-23 to 2011-01-23 )))))))))))))))))))))))))))))))
.

2011-01-20 10:40 . 2011-01-20 10:40 -------- d-----w- c:\documents and settings\Music\Application Data\Malwarebytes
2011-01-20 10:39 . 2010-12-20 08:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 10:39 . 2011-01-20 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-20 10:39 . 2011-01-20 10:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-20 10:39 . 2010-12-20 08:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 02:55 . 2011-01-20 02:55 -------- d-----w- c:\program files\Common Files\iS3
2011-01-20 02:55 . 2011-01-20 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-01-19 09:34 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-19 09:34 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-19 09:34 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-19 09:34 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-19 09:34 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-19 09:34 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-19 09:34 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-19 09:33 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-19 09:33 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-19 07:16 . 2011-01-19 07:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-06 07:43 . 2011-01-06 07:43 -------- d-----w- c:\documents and settings\Music\Application Data\TuneUp Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-10-15 09:35 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-15 08:07 . 2010-11-15 04:14 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-05-28 03:46 . 2009-12-25 08:11 816736 ----a-w- c:\program files\Norton_Removal_Tool.exe
2005-03-31 12:17 . 2007-08-09 03:13 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.
<pre>
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Voobys.lnk - c:\windows\Installer\{B72257D6-189D-4CB0-9CDC-26A93536C34B}\_16496df1.exe [2009-1-5 3774]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" startup
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [15/10/2005 9:32 PM 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [15/10/2005 9:32 PM 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/01/2011 7:34 PM 294608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 10:21 AM 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 10:21 AM 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/01/2011 7:34 PM 17744]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 10:21 AM 1234480]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [24/03/2010 6:14 PM 16896]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [25/03/2010 5:48 PM 23096]
S3 PID_400C;Video Blaster WebCam 5 (WDM);c:\windows\system32\drivers\Pd100Vid.sys [10/11/2006 6:52 PM 336617]
.
Contents of the 'Scheduled Tasks' folder

2011-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-Creative Video Blaster WebCam 5 - c:\windows\CtDrvIns.exe -uninstall usb\vid_041E&pid_400C&MI_00 -plugin pd100pin.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-23 15:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-23 15:11:25
ComboFix-quarantined-files.txt 2011-01-23 05:11

Pre-Run: 15,798,558,720 bytes free
Post-Run: 16,060,547,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - ED7B61AACC67941F39777BFF85C07368
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 23 January 2011 - 07:31 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

RenV::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 23 January 2011 - 08:38 PM

Hello. Also after running the combo fix my pc wouldn't shut down properly so I manually did that and it seemed to go ok however my firewall starts intermittently Thanks again for your help and here are both Logs:


ComboFix 11-01-22.02 - Music 24/01/2011 10:34:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.383.213 [GMT 10:00]
Running from: c:\documents and settings\Music\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Music\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sunbelt Personal Firewall *Disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.

((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
.

2011-01-20 10:40 . 2011-01-20 10:40 -------- d-----w- c:\documents and settings\Music\Application Data\Malwarebytes
2011-01-20 10:39 . 2010-12-20 08:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-20 10:39 . 2011-01-20 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-20 10:39 . 2011-01-20 10:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-20 10:39 . 2010-12-20 08:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-20 02:55 . 2011-01-20 02:55 -------- d-----w- c:\program files\Common Files\iS3
2011-01-20 02:55 . 2011-01-20 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2011-01-19 09:34 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-19 09:34 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-01-19 09:34 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-19 09:34 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-19 09:34 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-01-19 09:34 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-01-19 09:34 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-01-19 09:33 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-01-19 09:33 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-19 07:16 . 2011-01-19 07:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-06 07:43 . 2011-01-06 07:43 -------- d-----w- c:\documents and settings\Music\Application Data\TuneUp Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2005-10-15 09:35 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-15 08:07 . 2010-11-15 04:14 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2007-05-28 03:46 . 2009-12-25 08:11 816736 ----a-w- c:\program files\Norton_Removal_Tool.exe
2005-03-31 12:17 . 2007-08-09 03:13 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\DVDVideoSoftTB\tbDVD2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{872b5b88-9db5-4310-bdd0-ac189557e5f5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{872B5B88-9DB5-4310-BDD0-AC189557E5F5}"= "c:\program files\DVDVideoSoftTB\tbDVD2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{872b5b88-9db5-4310-bdd0-ac189557e5f5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Voobys.lnk - c:\windows\Installer\{B72257D6-189D-4CB0-9CDC-26A93536C34B}\_16496df1.exe [2009-1-5 3774]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" startup
"nwiz"=nwiz.exe /install
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [15/10/2005 9:32 PM 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [15/10/2005 9:32 PM 5248]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [19/01/2011 7:34 PM 294608]
R1 fwdrv;Firewall Driver;c:\windows\system32\drivers\fwdrv.sys [26/04/2007 10:21 AM 302000]
R1 khips;Kerio HIPS Driver;c:\windows\system32\drivers\khips.sys [26/04/2007 10:21 AM 72624]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [19/01/2011 7:34 PM 17744]
R2 SPF4;Sunbelt Personal Firewall 4;c:\program files\Sunbelt Software\Personal Firewall\kpf4ss.exe [26/04/2007 10:21 AM 1234480]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [24/03/2010 6:14 PM 16896]
S3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [25/03/2010 5:48 PM 23096]
S3 PID_400C;Video Blaster WebCam 5 (WDM);c:\windows\system32\drivers\Pd100Vid.sys [10/11/2006 6:52 PM 336617]
.
Contents of the 'Scheduled Tasks' folder

2011-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-24 10:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\program files\Sunbelt Software\Personal Firewall\kpf4gui.exe
.
**************************************************************************
.
Completion time: 2011-01-24 11:09:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-24 01:09

Pre-Run: 16,046,522,368 bytes free
Post-Run: 16,039,792,640 bytes free

- - End Of File - - 21C6A31FFE13BFA13CEDB31842225174



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:06:36 PM, on 24/01/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Music\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngine.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVD2.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: DVDVideoSoftTB Toolbar - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - C:\Program Files\DVDVideoSoftTB\tbDVD2.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 7595 bytes

Edited by shred1970, 23 January 2011 - 09:11 PM.

" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 23 January 2011 - 11:15 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 24 January 2011 - 08:58 PM

Seems to look ok :thumbup2: I haven't noticed any browser hijacking and my anti-virus has calmed down a lot ! Thanks again for your help. :thumbsup:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5592

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/01/2011 11:35:51 AM
mbam-log-2011-01-25 (11-35-51).txt

Scan type: Full scan (C:\|H:\|)
Objects scanned: 256360
Time elapsed: 1 hour(s), 8 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by shred1970, 24 January 2011 - 09:04 PM.

" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 24 January 2011 - 10:47 PM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 25 January 2011 - 07:23 PM

:thumbsup: My pc seems to be running better than ever. Thanks fenzodahl512 :thumbup2: I haven't had a browser hijack or redirect in days and my anti-virus is "calm" as compared to before it was blocking a threat of some kind every 5 minutes or so. I guess it was picking up something that was regenerating itself ? Now it feels quicker and smoother as well. Thanks for the links I'll be sure to make sure that my 17 year old son has a read as well as I sure he has done some hazardous surfing which led to this infection in the first place.
Thanks again to you fenzodahl512 and to all the other wonderfull people that make this site the awesome site that it is. You guys have saved my bacon and dollars more than once ! :dance: If I had the resources I wouldn't hesitate to donate to this site.

Edited by shred1970, 25 January 2011 - 07:28 PM.

" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 25 January 2011 - 09:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users