Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92366 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Firefox automatic pop-ups, IE8 starts automatically in backgr


  • This topic is locked This topic is locked
6 replies to this topic

#1 jdn23

jdn23

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 21 November 2009 - 10:24 AM

Hi,

My computer is infected big time and I cannot remove it. I've tried so many programs to fix it but so far its not helping.

Programs I've used are:

avast! anitvirus
Spybot - Search & Destory
Malwarebytes' Anti-Malware
IObit Security 360
Advanced SystemCare
TweakNow RegCleaner
Spyware Doctor

My 1st problem is when running Firefox, I get popups out of nowhere and its the same popup everytime.

These are the 2 scenario:

1. Popup opens in a new tab with the link:hxxp://www.directrdr.com/. then it automatically redirects to other sites such as hxxp://c5.zedo.com/jsc/
2. Popup opens in a new window with 3 tabs loading, links are: hxxp://67.201.36.16/nolink.html+ other links such as hxxp://free-video-dictionary.com/ads/

It just comes out of nowhere and happens alot, like about 10 - 15 times a day? but only when I'm using Firefox.


My 2nd problem I think is even more serious. I see IE8 running in the background without my knowledge. I realised this because IE8 makes a 'click' sound when it loads and I just hear the 'click' sound out of nowhere (my computer is just idling and it happens). I don't even use IE8. When I open up Windows Task Manager, I see 2 iexplorer.exe running.

Links that pops up are:
hxxp://216.133.243.28/..
hxxp://7572.91462.blueseek.com/.. which redirects to sites such as hxxp://scour.com/search/web

I've search these problems on the internet and it seems other people are having this problem too, BUT I just don't know how to fix it.

I see that when people have problems, they post their HijackThis log for help, so here is my HijackThis log:

=========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:59 AM, on 22/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Brownie\BrstsWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\Update.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] m‘|Pë
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12044 bytes

==============================

Here is my RootRepeal log:

==============================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/22 03:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7F92000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9DE3000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacf336b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad052fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad04fc80

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ef0e22

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad053580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad067900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad067b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad06bb10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad053670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad050210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9ef1610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ef18c4

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad067280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad06af10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad06af90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad050070

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9eefb14

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad069180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad068f40

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacf3376e

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ef1d30

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad06b150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad052be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xacf3372e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad053190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad050440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ef10e2

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad068200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad068080

==EOF==

==========================================

And here is my DDS.txt log:

===========================================

DDS (Ver_09-10-26.01) - NTFSx86
Run by John Nguyen at 3:20:12.40 on Sun 22/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2223 [GMT 11:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: avast! antivirus 4.8.1356 [VPS 091121-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Brownie\BrstsWnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\Update.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\John Nguyen\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] m‘|Pë
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [BtTray] "c:\program files\ivt corporation\bluesoleil\BtTray.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\partygaming\partycasino\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\johnng~1\applic~1\mozilla\firefox\profiles\jgpez073.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-8 20744]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-21 207280]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-14 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-14 20560]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-21 112592]
R2 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2009-2-27 143467]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2008-9-5 80392]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-11-21 312592]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-5 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-4-23 10384]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-21 358600]
R2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2009-8-18 664824]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-9-5 93696]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2009-8-18 25600]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-5 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-5 16640]

=============== Created Last 30 ================

2009-11-20 17:40:26 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-20 17:40:26 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-20 17:40:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-20 17:40:26 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-20 17:40:26 131 ----a-w- c:\windows\IDB.zip
2009-11-20 17:40:26 1152470 ----a-w- c:\windows\UDB.zip
2009-11-20 17:40:25 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-20 17:40:25 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-20 17:32:20 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-20 17:32:20 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-20 17:32:15 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-20 17:32:15 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-20 17:32:15 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-20 17:32:15 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-20 17:32:09 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-20 17:32:09 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-20 17:32:01 0 d-----w- c:\program files\common files\PC Tools
2009-11-20 17:32:00 0 d-----w- c:\program files\Spyware Doctor
2009-11-20 17:32:00 0 d-----w- c:\docume~1\johnng~1\applic~1\PC Tools
2009-11-20 17:32:00 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-20 17:08:12 0 d-----w- c:\program files\TweakNow RegCleaner
2009-11-20 17:08:12 0 d-----w- c:\docume~1\johnng~1\applic~1\TweakNow RegCleaner
2009-11-20 17:00:12 0 d-----w- c:\docume~1\johnng~1\applic~1\IObit
2009-11-20 16:43:33 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2009-11-20 16:43:30 0 d-----w- c:\program files\IObit
2009-11-18 03:19:52 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-18 03:19:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-10 23:06:53 0 d-----w- c:\program files\Trend Micro
2009-11-10 22:47:21 0 d-----w- c:\docume~1\johnng~1\applic~1\Malwarebytes
2009-11-10 22:47:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 22:47:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 22:47:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 22:47:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-10 22:41:35 0 d-----w- c:\docume~1\johnng~1\applic~1\Uniblue
2009-11-10 22:41:35 0 d-----w- c:\docume~1\alluse~1\applic~1\DriverScanner
2009-11-10 13:19:51 0 d-----w- c:\program files\ESET
2009-11-10 12:54:37 0 d-----w- c:\documents and settings\all users\Defence
2009-11-01 20:02:01 0 d-sh--w- c:\documents and settings\john nguyen\IECompatCache
2009-10-26 07:09:45 0 d-----w- c:\windows\Performance
2009-10-26 07:09:15 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor

==================== Find3M ====================

2009-11-21 15:54:48 16608 ----a-w- c:\windows\gdrv.sys
2009-09-25 05:35:00 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-09-23 22:59:26 4481024 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-09-23 22:39:28 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38:26 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2009-09-23 22:21:32 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-23 22:21:14 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-23 22:21:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-23 22:20:36 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-09-23 22:19:14 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-09-23 22:17:44 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11:02 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-09-23 22:09:18 3506080 ----a-w- c:\windows\system32\ati3duag.dll
2009-09-23 21:58:16 12644352 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-23 21:53:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
2009-09-23 21:53:26 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-09-23 21:36:50 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-23 21:32:20 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-09-23 21:31:32 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-23 21:31:18 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-23 21:30:08 167936 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-23 21:29:42 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-09-23 21:29:36 3489792 ----a-w- c:\windows\system32\aticaldd.dll
2009-09-23 21:28:58 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-09-23 21:27:50 401408 ----a-w- c:\windows\system32\atiok3x2.dll
2009-09-23 21:23:08 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:55:54 195855 ----a-w- c:\windows\system32\atiicdxx.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2003-09-15 14:19:48 99544 ----a-w- c:\windows\inf\virprn.exe
2003-09-15 14:19:48 18950 ----a-w- c:\windows\inf\virpntd.dll
2003-09-15 14:19:48 10240 ----a-w- c:\windows\inf\virport.dll
2003-09-15 14:19:46 90624 ----a-w- c:\windows\inf\prtproc.dll
2009-04-23 06:37:59 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-04-23 06:37:59 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-04-23 06:37:59 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 3:21:29.98 ===============

======================================================

I greatly appreciated if you guys can help me with easy steps since I'm not a major technical person.

Cheers.

Attached Files


    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 25 November 2009 - 08:31 AM

Posted Image


DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 jdn23

jdn23

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 25 November 2009 - 06:25 PM

Hi LDTate,

After I made this thread, I ran the scanning programs I had. I did nothing new really (to before) and suddenly the IE8 problem stopped happening. I don't know if the scanning helped. Also with my Firefox problem, the popups is happening less then usual.

With that said, I am certain my comp is still infected.

I followed your instructions and here are my logs:

Note: ComboFix stalled the 1st time I ran it (at the "preparing log stage"), so I had to do 2 runs.


ComboFix 09-11-25.01 - John Nguyen 26/11/2009 10:58.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2645 [GMT 11:00]
Running from: c:\documents and settings\John Nguyen\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091125-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\win32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-22 09:37 . 2009-11-22 09:37 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-11-21 16:09 . 2009-11-21 16:09 -------- d-----w- c:\program files\ERUNT
2009-11-20 18:11 . 2009-11-20 18:11 -------- d-----w- c:\documents and settings\John Nguyen\Local Settings\Application Data\Threat Expert
2009-11-20 17:31 . 2009-11-23 04:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-20 17:08 . 2009-11-20 17:09 -------- d-----w- c:\program files\TweakNow RegCleaner
2009-11-20 17:08 . 2009-11-20 17:08 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\TweakNow RegCleaner
2009-11-20 17:00 . 2009-11-20 17:00 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\IObit
2009-11-20 16:43 . 2009-11-20 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-11-20 16:43 . 2009-11-20 17:00 -------- d-----w- c:\program files\IObit
2009-11-18 18:43 . 2009-11-18 18:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-11-18 03:19 . 2009-11-18 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-18 03:19 . 2009-11-18 03:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-10 23:09 . 2009-11-10 23:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-10 23:06 . 2009-11-10 23:06 -------- d-----w- c:\program files\Trend Micro
2009-11-10 22:47 . 2009-11-10 22:47 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\Malwarebytes
2009-11-10 22:47 . 2009-09-10 03:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 22:47 . 2009-11-10 22:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 22:47 . 2009-11-10 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-10 22:47 . 2009-09-10 03:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 22:41 . 2009-11-18 03:15 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\Uniblue
2009-11-10 22:41 . 2009-11-18 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-11-10 13:19 . 2009-11-10 13:19 -------- d-----w- c:\program files\ESET
2009-11-10 12:59 . 2009-11-10 12:59 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-10 12:54 . 2009-11-10 23:01 -------- d-----w- c:\documents and settings\All Users\Defence
2009-11-02 20:31 . 2009-11-02 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-11-01 20:02 . 2009-11-01 20:02 -------- d-sh--w- c:\documents and settings\John Nguyen\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-25 23:01 . 2008-09-04 16:40 16608 ----a-w- c:\windows\gdrv.sys
2009-11-25 22:59 . 2009-08-18 09:06 0 ----a-w- c:\windows\system32\Access.dat
2009-11-25 22:08 . 2008-11-25 02:04 74600820 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-11-25 22:07 . 2009-11-25 22:08 2507264 ----a-w- c:\windows\Internet Logs\xDB4.tmp
2009-11-25 22:07 . 2009-11-25 22:08 176128 ----a-w- c:\windows\Internet Logs\xDB3.tmp
2009-11-24 06:00 . 2009-11-24 06:01 2525696 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-11-24 06:00 . 2009-11-24 06:01 2324480 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-11-23 05:04 . 2008-09-11 13:44 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\Azureus
2009-11-21 15:45 . 2008-09-11 12:40 -------- d-----w- c:\program files\LoadIt
2009-11-21 15:30 . 2008-09-11 13:43 -------- d-----w- c:\program files\Vuze
2009-11-19 05:24 . 2008-09-23 23:53 -------- d-----w- c:\documents and settings\John Nguyen\Application Data\U3
2009-11-12 05:29 . 2008-09-08 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-10 16:16 . 2008-09-04 17:00 69616 ----a-w- c:\documents and settings\John Nguyen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 14:40 . 2008-09-11 13:21 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-02 20:28 . 2008-09-04 16:53 -------- d-----w- c:\program files\ATI Technologies
2009-11-01 03:42 . 2009-10-04 03:09 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-26 07:09 . 2009-10-26 07:09 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-03 05:13 . 2009-10-03 05:13 -------- d-----w- c:\program files\Microsoft
2009-09-30 14:02 . 2009-09-30 14:02 -------- d-----w- c:\program files\ANYCOM
2009-09-30 13:07 . 2009-09-30 13:07 -------- d-----w- c:\program files\IVT Corporation
2009-09-30 13:05 . 2008-11-24 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth
2009-09-28 19:55 . 2008-09-11 15:04 -------- d-----w- c:\program files\Microsoft Works
2009-09-25 05:35 . 2008-09-04 16:53 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-09-23 22:59 . 2008-06-03 06:20 4481024 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2009-09-23 22:39 . 2008-09-04 16:53 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2009-09-23 22:38 . 2008-06-03 03:21 299520 ----a-w- c:\windows\system32\ati2dvag.dll
2009-09-23 22:21 . 2008-06-03 03:11 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2009-09-23 22:21 . 2008-06-03 03:11 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2009-09-23 22:21 . 2008-06-03 03:11 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2009-09-23 22:20 . 2008-06-03 03:11 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2009-09-23 22:20 . 2008-06-03 03:11 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2009-09-23 22:19 . 2008-06-03 03:09 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2009-09-23 22:17 . 2008-06-03 03:08 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2009-09-23 22:11 . 2008-09-04 16:53 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2009-09-23 22:09 . 2008-06-03 02:59 3506080 ----a-w- c:\windows\system32\ati3duag.dll
2009-09-23 21:58 . 2008-09-24 02:09 12644352 ----a-w- c:\windows\system32\atioglxx.dll
2009-09-23 21:53 . 2008-06-03 02:48 2096384 ----a-w- c:\windows\system32\ativvaxx.dll
2009-09-23 21:53 . 2008-09-04 16:53 887724 ----a-w- c:\windows\system32\ativva6x.dat
2009-09-23 21:53 . 2008-09-04 16:53 3 ----a-w- c:\windows\system32\ativva5x.dat
2009-09-23 21:36 . 2009-09-23 21:36 65024 ----a-w- c:\windows\system32\atimpc32.dll
2009-09-23 21:36 . 2008-06-03 02:33 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2009-09-23 21:32 . 2008-06-03 02:29 561152 ----a-w- c:\windows\system32\atikvmag.dll
2009-09-23 21:31 . 2009-09-23 21:31 45056 ----a-w- c:\windows\system32\aticalrt.dll
2009-09-23 21:31 . 2009-09-23 21:31 45056 ----a-w- c:\windows\system32\aticalcl.dll
2009-09-23 21:30 . 2008-06-03 02:28 167936 ----a-w- c:\windows\system32\atiadlxx.dll
2009-09-23 21:29 . 2008-06-03 02:28 17408 ----a-w- c:\windows\system32\atitvo32.dll
2009-09-23 21:29 . 2009-09-23 21:29 3489792 ----a-w- c:\windows\system32\aticaldd.dll
2009-09-23 21:28 . 2008-06-03 02:27 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2009-09-23 21:27 . 2008-06-03 03:04 401408 ----a-w- c:\windows\system32\atiok3x2.dll
2009-09-23 21:23 . 2008-06-03 02:21 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2009-09-15 09:59 . 2009-01-13 13:37 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-15 09:56 . 2009-01-13 13:37 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-15 09:56 . 2009-01-13 13:37 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-15 09:55 . 2009-01-13 13:37 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-15 09:55 . 2009-01-13 13:37 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 09:54 . 2009-01-13 13:37 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-15 09:54 . 2009-01-13 13:37 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-15 09:53 . 2009-01-13 13:37 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-15 09:53 . 2009-01-13 13:37 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:55 . 2008-09-04 16:53 195855 ----a-w- c:\windows\system32\atiicdxx.dat
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m‘|Pë" [X]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe Autorun" [X]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe MSRun" [X]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"BtTray"="c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-02-27 278016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-07 16862208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-18 76304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Tunngle\\TnglCtrl.exe"=
"c:\\Program Files\\Tunngle\\Tunngle.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [8/01/2009 12:39 AM 20744]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14/01/2009 12:37 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/01/2009 12:37 AM 20560]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [27/02/2009 5:40 PM 143467]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [5/09/2008 3:41 AM 80392]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [5/09/2008 5:52 AM 8960]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [23/04/2009 6:28 PM 10384]
R2 TunngleService;TunngleService;c:\program files\Tunngle\TnglCtrl.exe [18/08/2009 7:51 PM 664824]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [7/12/2008 1:44 PM 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2/07/2008 3:58 PM 26248]
R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [18/08/2009 7:51 PM 25600]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [21/11/2009 3:43 AM 312592]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [5/09/2008 5:52 AM 11264]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [5/09/2008 5:52 AM 16640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: {{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\PartyGaming\PartyCasino\RunApp.exe
FF - ProfilePath - c:\documents and settings\John Nguyen\Application Data\Mozilla\Firefox\Profiles\jgpez073.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
@Allowed: (Read) (Administrators)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,72,0b,22,98,f7,87,49,9f,c5,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,72,0b,22,98,f7,87,49,9f,c5,14,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
@DACL=(02 0000)
"DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
"Asynchronous"=dword:00000000
"Startup"="OnStartup"
"Logon"="OnLogon"
"StartShell"="OnStartShell"
"Logoff"="OnLogoff"
"Shutdown"="OnShutdown"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(6016)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-26 11:11
ComboFix-quarantined-files.txt 2009-11-26 00:10

Pre-Run: 41,590,173,696 bytes free
Post-Run: 41,547,427,840 bytes free

- - End Of File - - 545EC89EED9A92196C8560A5CD6AF2C8


================================================================================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:50 AM, on 26/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GEST] m‘|Pë
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BtTray] "C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send by Bluetooth - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
O8 - Extra context menu item: Send via &Message... - C:\Program Files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleilCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
O23 - Service: BsHelpCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe
O23 - Service: BsMobileCS - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files\Tunngle\TnglCtrl.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10148 bytes



Thanks for your reply and greatly appreciated.

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 25 November 2009 - 09:49 PM

If you're still infected I don't see it.

Pay a visit to the Kaspersky Online Scanner 7 - I.E. is preferred for this scan.
  • Read the Information panel and then click Accept.
  • Allow the ActiveX download if necessary.
  • Both the anti-virus engine and database will need to be downloaded, which may take a little time.
  • Once this has been completed, select My Computer from the Scan section on the left hand side.
  • Put the kettle on!
  • Although it is recommended by Kaspersky that you should disable your anti-virus scanner before starting this scan, it should work OK with it still active - it does on my PC.
    Although you may find the scan speed increases if you carry out this step, I never like to disable my resident scanner while online, so I don't.
  • When the scan has completed, click View scan report at the bottom.
  • Click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save and pick a location for the file - the Desktop is always handy.
Copy and paste the report into your next reply along with a fresh HJT log, run in Normal Mode, and a description of how your PC is behaving.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 jdn23

jdn23

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 28 November 2009 - 07:41 PM

Sorry about the late reply LDTate. Kaspersky Online is not working atm. I think they are upgrading. I will post as soon as it's working again. Thanks.

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 29 November 2009 - 12:55 PM

OK :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 06 December 2009 - 08:59 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users