21 replies to this topic

[l3x]

Hey guys. Both my browsers ie8 and FF got highjacked and no major anti spyware I used didn't detect anything unusual besides cookies. I used at least four of them. It looks that I only get redirected while I use any search engine and click any search result. Im getting redirected to sites like this: hxxp://www.adcloudmedia.com/denyPage1.html hxxp://www.localhometown.com/city_locate.php If I type a website to visit on the address bar the browser takes me where it supposed to take me and I can click any internal site links with no issue I just installed safari and so far i have no problems. I scanned my disks with avg and no issues reported. I paste the logs you asked, I hope they help. Thanks in advance. ------------------------------- DDS (Ver_09-06-26.01) - NTFSx86 Run by alex at 18:25:58.93 on Tue 12/15/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2334 [GMT -8:00] AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\AVG\AVG9\avgchsvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Hotkey Management\FuncKey.exe C:\Program Files\Power Manager\PM.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Safari\Safari.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\alex\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe" uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe" mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] "nwiz.exe" /install mRun: [RTHDCPL] "RTHDCPL.EXE" mRun: [Alcmtr] "ALCMTR.EXE" mRun: [FuncKey] "c:\program files\hotkey management\FuncKey.exe" mRun: [PowerManager] "c:\program files\power manager\PM.exe" mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe" mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [NeroFilterCheck] "c:\windows\system32\NeroCheck.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray StartupFolder: c:\docume~1\alex\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE StartupFolder: c:\docume~1\alex\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab TCP: {5048E9BC-F63A-4C43-B7B9-21D77E636A5D} = 68.87.85.102 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\8smgit17.default\ FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-15 207792] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-20 333192] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-20 28424] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-20 360584] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-20 285392] S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2009-11-29 10688] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-15 359624] S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-15 1141712] =============== Created Last 30 ================ 2009-12-15 17:47 56,532 a---h--- c:\windows\system32\mlfcache.dat 2009-12-15 14:59 <DIR> --d----- c:\program files\Trend Micro 2009-12-15 14:25 <DIR> --d----- c:\program files\MSSOAP 2009-12-15 14:25 <DIR> --d----- c:\program files\Webroot 2009-12-15 14:24 164 a------- c:\windows\install.dat 2009-12-15 13:44 233,136 a------- c:\windows\system32\drivers\pctgntdi.sys 2009-12-15 13:44 7,387 a------- c:\windows\system32\drivers\pctgntdi.cat 2009-12-15 13:43 207,792 a------- c:\windows\system32\drivers\PCTCore.sys 2009-12-15 13:43 87,784 a------- c:\windows\system32\drivers\PCTAppEvent.sys 2009-12-15 13:43 7,412 a------- c:\windows\system32\drivers\PCTAppEvent.cat 2009-12-15 13:43 7,383 a------- c:\windows\system32\drivers\pctcore.cat 2009-12-15 13:43 70,408 a------- c:\windows\system32\drivers\pctplsg.sys 2009-12-15 13:43 7,383 a------- c:\windows\system32\drivers\pctplsg.cat 2009-12-15 13:43 <DIR> --d----- c:\program files\common files\PC Tools 2009-12-15 13:43 <DIR> --d----- c:\program files\Spyware Doctor 2009-12-15 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools 2009-12-15 13:43 <DIR> --d----- c:\docume~1\alex\applic~1\PC Tools 2009-12-14 10:52 <DIR> --d----- c:\documents and settings\alex\Packet Tracer 5.2 2009-12-12 13:02 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll 2009-12-12 13:02 21,504 a------- c:\windows\system32\hidserv.dll 2009-12-12 13:02 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys 2009-12-12 13:02 12,160 a------- c:\windows\system32\drivers\mouhid.sys 2009-12-12 13:02 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys 2009-12-12 13:02 14,592 a------- c:\windows\system32\drivers\kbdhid.sys 2009-12-12 13:02 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys 2009-12-12 13:02 10,368 a------- c:\windows\system32\drivers\hidusb.sys 2009-12-12 11:47 <DIR> --d----- c:\docume~1\alex\applic~1\Malwarebytes 2009-12-12 11:47 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-12 11:47 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-12-12 11:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-12-12 11:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-12-12 11:38 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-12-12 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-12-12 10:27 <DIR> --d----- c:\program files\Visual CertExam Suite 2009-12-12 10:06 132,096 a--shr-- c:\windows\system32\nvwrsptby.dll 2009-12-12 08:42 1,415,680 a------- c:\windows\system32\WMV9VCM.DLL 2009-12-12 08:42 49,152 a------- c:\windows\system32\TSCCVID.DLL 2009-12-12 08:41 <DIR> --d----- c:\program files\TESTOUT 2009-12-09 11:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Boson Software 2009-12-07 19:46 <DIR> --d----- c:\program files\gs 2009-12-07 19:45 <DIR> --d----- c:\program files\PlotSoft 2009-12-07 19:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PlotSoft 2009-12-07 09:51 <DIR> --d----- c:\docume~1\alex\applic~1\Foxit Software 2009-11-30 10:42 <DIR> --d----- c:\docume~1\alex\applic~1\TeamViewer 2009-11-30 10:42 <DIR> --d----- c:\program files\TeamViewer 2009-11-30 10:41 <DIR> --d----- c:\documents and settings\alex\temp 2009-11-29 13:36 <DIR> --d----- c:\docume~1\alex\applic~1\UltraVNC 2009-11-29 13:33 20,672 a------- c:\windows\system32\mv2.dll 2009-11-29 13:33 10,688 a------- c:\windows\system32\drivers\mv2.sys 2009-11-29 13:33 <DIR> --d----- c:\program files\UltraVNC 2009-11-28 11:22 <DIR> --d----- c:\program files\Windows Live SkyDrive 2009-11-28 11:22 <DIR> --d----- c:\documents and settings\alex\Tracing 2009-11-28 11:21 <DIR> --d----- c:\program files\Microsoft 2009-11-28 11:19 <DIR> --d----- c:\program files\common files\Windows Live 2009-11-25 08:59 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat 2009-11-24 11:15 <DIR> --d----- c:\program files\Packet Tracer 5.2 2009-11-24 11:04 <DIR> --d----- c:\windows\system32\XPSViewer 2009-11-24 11:03 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe 2009-11-24 11:03 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll 2009-11-24 11:03 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll 2009-11-24 11:03 575,488 -------- c:\windows\system32\xpsshhdr.dll 2009-11-24 11:03 117,760 -------- c:\windows\system32\prntvpt.dll 2009-11-24 11:03 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll 2009-11-24 11:03 1,676,288 -------- c:\windows\system32\xpssvcs.dll 2009-11-24 10:51 <DIR> --d----- c:\program files\Boson Software 2009-11-24 10:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Boson 2009-11-24 10:46 <DIR> --d----- c:\windows\system32\URTTemp 2009-11-23 21:03 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys 2009-11-23 21:03 15,104 a------- c:\windows\system32\drivers\usbscan.sys 2009-11-23 21:03 5,632 a------- c:\windows\system32\ptpusb.dll 2009-11-23 21:03 159,232 a------- c:\windows\system32\ptpusd.dll 2009-11-23 20:55 28 a------- c:\windows\ODBC.INI 2009-11-23 20:23 107,368 a------- c:\windows\system32\GEARAspi.dll 2009-11-23 20:23 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-11-23 20:23 <DIR> --d----- c:\program files\iPod 2009-11-23 20:23 <DIR> --d----- c:\program files\iTunes 2009-11-23 20:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-11-23 20:23 <DIR> --d----- c:\program files\Bonjour 2009-11-23 20:22 2,060,288 a------- c:\windows\system32\usbaaplrc.dll 2009-11-23 20:22 39,424 a------- c:\windows\system32\drivers\usbaapl.sys 2009-11-23 20:17 <DIR> --d----- C:\iPhone 3.0 2009-11-23 13:40 225 a------- c:\windows\hpbafd.ini 2009-11-21 15:08 116 a------- c:\windows\NeroDigital.ini 2009-11-21 14:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk 2009-11-21 10:29 87,608 a------- c:\docume~1\alex\applic~1\inst.exe 2009-11-21 10:29 47,360 a------- c:\windows\system32\drivers\pcouffin.sys 2009-11-21 10:29 47,360 a------- c:\docume~1\alex\applic~1\pcouffin.sys 2009-11-21 10:29 <DIR> --d----- c:\program files\DVDFab 6 2009-11-21 09:57 125,184 -------- c:\windows\system32\drivers\imagesrv.sys 2009-11-21 09:57 5,504 -------- c:\windows\system32\drivers\imagedrv.sys 2009-11-21 09:57 106,496 a------- c:\windows\system32\TwnLib20.dll 2009-11-21 09:57 155,648 a------- c:\windows\system32\NeroCheck.exe 2009-11-21 09:57 1,568,768 -------- c:\windows\system32\ImagX7.dll 2009-11-21 09:57 476,320 -------- c:\windows\system32\ImagXpr7.dll 2009-11-21 09:57 471,040 -------- c:\windows\system32\ImagXRA7.dll 2009-11-21 09:57 262,144 -------- c:\windows\system32\ImagXR7.dll 2009-11-21 09:43 274,288 a------- c:\windows\system32\mucltui.dll 2009-11-21 09:43 215,920 a------- c:\windows\system32\muweb.dll 2009-11-21 09:43 16,736 a------- c:\windows\system32\mucltui.dll.mui 2009-11-20 18:35 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys 2009-11-20 18:22 <DIR> --d----- c:\program files\CDisplay 2009-11-20 13:53 <DIR> --d----- c:\program files\VideoLAN 2009-11-20 13:52 69 a------- c:\documents and settings\alex\jagex_runescape_preferences2.dat 2009-11-20 13:51 39 a------- c:\documents and settings\alex\jagex_runescape_preferences.dat 2009-11-20 13:51 <DIR> --d----- c:\windows\.jagex_cache_32 2009-11-20 13:30 <DIR> --d----- c:\program files\Bitcricket 2009-11-20 13:07 <DIR> --d-h--- C:\$AVG 2009-11-20 13:07 12,464 a------- c:\windows\system32\avgrsstx.dll 2009-11-20 13:07 360,584 a------- c:\windows\system32\drivers\avgtdix.sys 2009-11-20 13:07 333,192 a------- c:\windows\system32\drivers\avgldx86.sys 2009-11-20 13:07 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-11-20 13:07 <DIR> --d----- c:\program files\AVG 2009-11-20 13:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9 2009-11-20 12:39 3,255 a------- c:\windows\system32\wbem\Outlook_01ca6a217d54d1fa.mof 2009-11-20 12:24 <DIR> --d----- c:\program files\TTERMPRO 2009-11-20 12:24 42,496 a------- c:\windows\ttuninst.exe 2009-11-20 12:14 <DIR> --d----- c:\program files\MSECache 2009-11-20 12:13 32,656 a------- c:\windows\system32\msonpmon.dll 2009-11-20 12:10 <DIR> --d----- c:\program files\age 2009-11-20 12:02 <DIR> --d----- c:\windows\SHELLNEW 2009-11-20 11:51 <DIR> --d----- c:\windows\WinRAR 2009-11-20 11:50 <DIR> --d----- c:\windows\system32\appmgmt 2009-11-20 11:48 <DIR> --d----- c:\program files\uTorrent 2009-11-20 11:48 <DIR> --d----- c:\docume~1\alex\applic~1\uTorrent 2009-11-20 11:46 411,368 a------- c:\windows\system32\deploytk.dll 2009-11-20 11:46 73,728 a------- c:\windows\system32\javacpl.cpl 2009-11-20 11:41 56 a---h--- c:\windows\system32\ezsidmv.dat 2009-11-20 11:39 <DIR> --d--r-- c:\program files\Skype 2009-11-20 11:36 <DIR> --d----- c:\program files\PowerISO 2009-11-20 11:29 <DIR> --dsh--- c:\documents and settings\alex\IECompatCache 2009-11-20 11:27 <DIR> --dsh--- c:\documents and settings\alex\PrivacIE 2009-11-20 11:27 <DIR> --dsh--- c:\documents and settings\alex\IETldCache 2009-11-20 11:25 92,160 -c------ c:\windows\system32\dllcache\iecompat.dll 2009-11-20 11:25 <DIR> --d----- c:\windows\ie8updates 2009-11-20 11:25 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll 2009-11-20 11:25 11,069,952 -c------ c:\windows\system32\dllcache\ieframe.dll 2009-11-20 11:25 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll 2009-11-20 11:25 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll 2009-11-20 11:25 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll 2009-11-20 11:25 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll 2009-11-20 11:24 <DIR> -cd-h--- c:\windows\ie8 2009-11-20 11:07 <DIR> --d----- c:\windows\system32\scripting 2009-11-20 11:07 <DIR> --d----- c:\windows\system32\en 2009-11-20 11:07 <DIR> --d----- c:\windows\system32\bits 2009-11-20 11:07 <DIR> --d----- c:\windows\l2schemas 2009-11-20 11:03 <DIR> --d----- c:\windows\network diagnostic 2009-11-20 10:56 <DIR> --dsh--- c:\documents and settings\alex\UserData 2009-11-20 10:38 354,468 -c------ c:\windows\system32\dllcache\wmpaud1.wav 2009-11-20 10:32 <DIR> --d----- c:\windows\pss 2009-11-20 10:23 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys 2009-11-20 10:23 333,952 -c------ c:\windows\system32\dllcache\srv.sys 2009-11-20 10:23 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll 2009-11-20 10:23 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll 2009-11-20 10:22 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll 2009-11-20 10:22 272,128 -c------ c:\windows\system32\dllcache\bthport.sys 2009-11-20 10:22 272,128 -------- c:\windows\system32\drivers\bthport.sys 2009-11-20 10:20 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys 2009-11-20 10:18 2,560 -------- c:\windows\system32\xpsp4res.dll 2009-11-20 10:18 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe 2009-11-20 10:14 <DIR> --d----- c:\windows\system32\PreInstall 2009-11-20 10:14 <DIR> --d-h--- c:\windows\$hf_mig$ 2009-11-20 10:07 13,646 a------- c:\windows\system32\wpa.bak 2009-11-20 10:06 <DIR> --d----- c:\windows\system32\SoftwareDistribution 2009-11-20 10:05 940,794 a------- c:\windows\system32\LoopyMusic.wav 2009-11-20 10:05 146,650 a------- c:\windows\system32\BuzzingBee.wav 2009-11-20 10:05 <DIR> --d----- c:\windows\system32\Lang 2009-11-20 10:03 488,992 a------- c:\windows\system32\drivers\ar5211.sys 2009-11-20 10:03 488,992 a------- c:\windows\system32\ar5211.sys 2009-11-20 10:03 43,481 a------- c:\windows\system32\net5211.inf 2009-11-20 10:03 15,366 a------- c:\windows\system32\net5211.cat 2009-11-20 10:03 <DIR> --d----- c:\windows\Options 2009-11-20 10:03 <DIR> --d----- c:\program files\Wireless LAN 2009-11-20 10:03 <DIR> --d----- C:\temp 2009-11-20 10:02 113,152 a------- c:\windows\system32\drivers\Apfiltr.sys 2009-11-20 10:02 99,630 a------- c:\windows\system32\Vxdif.dll 2009-11-20 10:02 <DIR> --d----- c:\program files\Apoint2K 2009-11-20 10:02 <DIR> --d----- c:\program files\Power Manager 2009-11-20 10:01 36,864 a------- c:\windows\system32\drivers\AmdK8.sys 2009-11-20 10:01 <DIR> --d----- c:\program files\CONEXANT 2009-11-20 10:00 176,128 a------- c:\windows\system32\nvunrm.exe 2009-11-20 10:00 101,888 a------- c:\windows\system32\drivers\nvtcp.sys 2009-11-20 10:00 3,903 a------- c:\windows\system32\nvnrm.nvu 2009-11-20 10:00 18 a------- c:\windows\system32\drivers\nvphy.bin 2009-11-20 10:00 6,144 a------- c:\windows\system32\WinIo.sys 2009-11-20 10:00 <DIR> --d----- c:\program files\Hotkey Management 2009-11-20 09:59 176,128 a------- c:\windows\system32\nvusmb.exe 2009-11-20 09:59 1,864 a------- c:\windows\system32\nvsmb.nvu 2009-11-20 09:59 <DIR> --d----- c:\windows\system32\ReinstallBackups 2009-11-20 09:58 <DIR> --d----- c:\windows\Downloaded Installations 2009-11-20 09:56 26,144 a------- c:\windows\system32\spupdsvc.exe 2009-11-20 09:56 <DIR> --d----- c:\program files\Realtek 2009-11-20 09:53 208,896 a------- c:\windows\system32\nvudisp.exe 2009-11-20 09:53 51,048 a------- c:\windows\system32\nvapps.xml 2009-11-20 09:53 17,056 a------- c:\windows\system32\nvdisp.nvu 2009-11-20 09:53 <DIR> --d----- c:\windows\nview 2009-11-20 09:53 208,896 a------- c:\windows\system32\NVUNINST.EXE 2009-11-20 09:52 <DIR> --d----- C:\everex 2009-11-20 09:50 <DIR> --d----- c:\documents and settings\alex 2009-11-20 09:49 <DIR> --ds---- c:\windows\system32\Microsoft 2009-11-20 09:49 8,192 a------- c:\windows\REGLOCS.OLD 2009-11-20 09:46 83,748 ac------ c:\windows\system32\dllcache\prcp.nls 2009-11-20 09:45 10,096,640 ac------ c:\windows\system32\dllcache\hwxcht.dll 2009-11-20 09:44 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll 2009-11-20 09:44 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx 2009-11-20 09:44 <DIR> --d----- c:\windows\system32\xircom 2009-11-20 09:44 <DIR> --d----- c:\windows\system32\wbem\snmp 2009-11-20 09:44 2,577 a------- c:\windows\system32\CONFIG.NT 2009-11-20 09:44 0 a------- c:\windows\control.ini 2009-11-20 09:44 23,392 a------- c:\windows\system32\nscompat.tlb 2009-11-20 09:44 16,832 a------- c:\windows\system32\amcompat.tlb 2009-11-20 09:44 316,640 a------- c:\windows\WMSysPr9.prx 2009-11-20 09:42 <DIR> --dsh--- c:\documents and settings\all users\DRM 2009-11-20 09:42 <DIR> --d--r-- c:\windows\Offline Web Pages 2009-11-20 09:42 488 a---hr-- c:\windows\system32\WindowsLogon.manifest 2009-11-20 09:42 488 a---hr-- c:\windows\system32\logonui.exe.manifest 2009-11-20 09:42 <DIR> --ds---- c:\windows\Downloaded Program Files 2009-11-20 09:42 749 a---hr-- c:\windows\WindowsShell.Manifest 2009-11-20 09:42 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest 2009-11-20 09:42 749 a---hr-- c:\windows\system32\sapi.cpl.manifest 2009-11-20 09:42 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest 2009-11-20 09:42 749 a---hr-- c:\windows\system32\nwc.cpl.manifest 2009-11-20 09:42 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest 2009-11-20 09:42 <DIR> --d-h--- c:\program files\WindowsUpdate 2009-11-20 09:41 <DIR> --d----- c:\program files\common files\MSSoap 2009-11-20 09:39 <DIR> --d----- c:\program files\Online Services 2009-11-20 09:39 <DIR> --d----- c:\program files\Messenger 2009-11-20 09:38 <DIR> --d----- c:\program files\MSN Gaming Zone 2009-11-20 09:38 <DIR> --d----- c:\program files\Windows NT 2009-11-20 01:27 <DIR> --d----- c:\program files\common files\ODBC 2009-11-20 01:27 <DIR> --d----- c:\program files\common files\SpeechEngines 2009-11-20 01:26 <DIR> --d--r-- c:\documents and settings\all users\Documents ==================== Find3M ==================== 2009-11-20 11:10 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2009-11-20 09:39 21,640 a------- c:\windows\system32\emptyregdb.dat 2009-11-08 19:21 59,388 a------- c:\windows\system32\drivers\scdemu.sys 2009-10-28 23:45 916,480 a------- c:\windows\system32\wininet.dll 2009-10-20 21:38 75,776 a------- c:\windows\system32\strmfilt.dll 2009-10-20 21:38 25,088 a------- c:\windows\system32\httpapi.dll 2009-10-20 08:20 265,728 a------- c:\windows\system32\drivers\http.sys 2009-10-13 02:30 270,336 a------- c:\windows\system32\oakley.dll 2009-10-12 05:38 149,504 a------- c:\windows\system32\rastls.dll 2009-10-12 05:38 79,872 a------- c:\windows\system32\raschap.dll ============= FINISH: 18:26:35.46 =============== ------------------------------------------------- ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/12/15 18:28 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB58D1000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBAE00000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB4618000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "PCTCore.sys" at address 0xba6cae52 #: 047 Function Name: NtCreateProcess Status: Hooked by "PCTCore.sys" at address 0xba6abcde #: 048 Function Name: NtCreateProcessEx Status: Hooked by "PCTCore.sys" at address 0xba6abed0 #: 063 Function Name: NtDeleteKey Status: Hooked by "PCTCore.sys" at address 0xba6cb640 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "PCTCore.sys" at address 0xba6cb8f4 #: 119 Function Name: NtOpenKey Status: Hooked by "PCTCore.sys" at address 0xba6c9b44 #: 192 Function Name: NtRenameKey Status: Hooked by "PCTCore.sys" at address 0xba6cbd60 #: 247 Function Name: NtSetValueKey Status: Hooked by "PCTCore.sys" at address 0xba6cb112 #: 257 Function Name: NtTerminateProcess Status: Hooked by "PCTCore.sys" at address 0xba6ab984 ==EOF==

Attached Files

•  DDSAttach.txt   9.18KB   342 downloads

[CatByte]

Hi,

Please do the following:

Download ComboFix from HERE


VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

[l3x]

Here is the report.
Thanks



ComboFix 09-12-16.01 - alex 12/16/2009 9:36.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2560 [GMT -8:00]
Running from: c:\documents and settings\alex\Desktop\KittyFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\alex\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-16 02:18 . 2009-12-16 02:18 -------- d-----w- c:\program files\ERUNT
2009-12-16 01:47 . 2009-12-16 01:47 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-16 01:47 . 2009-12-16 01:47 -------- d-----w- c:\program files\Safari
2009-12-16 00:03 . 2009-12-16 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-15 22:59 . 2009-12-15 22:59 -------- d-----w- c:\program files\Trend Micro
2009-12-15 22:25 . 2009-12-15 22:25 -------- d-----w- c:\program files\MSSOAP
2009-12-15 22:25 . 2009-12-15 22:25 -------- d-----w- c:\program files\Webroot
2009-12-15 22:24 . 2009-12-15 22:24 164 ----a-w- c:\windows\install.dat
2009-12-15 22:01 . 2009-12-15 22:01 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Threat Expert
2009-12-15 21:44 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-15 21:43 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-15 21:43 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-15 21:43 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-15 21:43 . 2009-12-15 21:49 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-15 21:43 . 2009-12-16 02:24 -------- d-----w- c:\program files\Spyware Doctor
2009-12-15 21:43 . 2009-12-15 21:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-15 21:43 . 2009-12-15 21:43 -------- d-----w- c:\documents and settings\alex\Application Data\PC Tools
2009-12-15 21:42 . 2009-12-16 02:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-14 18:52 . 2009-12-14 18:52 -------- d-----w- c:\documents and settings\alex\Packet Tracer 5.2
2009-12-12 21:02 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-12 21:02 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-12 21:02 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2009-12-12 21:02 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-12 21:02 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-12-12 21:02 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-12-12 21:02 . 2008-04-13 18:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2009-12-12 21:02 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\documents and settings\alex\Application Data\Malwarebytes
2009-12-12 19:47 . 2009-12-04 00:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-12 19:47 . 2009-12-12 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-12 19:47 . 2009-12-04 00:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 19:38 . 2009-12-12 20:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-12 19:38 . 2009-12-12 19:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-12 18:27 . 2009-12-13 03:34 -------- d-----w- c:\program files\Visual CertExam Suite
2009-12-12 18:06 . 2009-12-12 18:06 132096 --sha-r- c:\windows\system32\nvwrsptby.dll
2009-12-12 16:42 . 2003-06-23 10:44 1415680 ----a-w- c:\windows\system32\WMV9VCM.DLL
2009-12-12 16:42 . 1999-12-16 08:01 49152 ----a-w- c:\windows\system32\TSCCVID.DLL
2009-12-12 16:41 . 2009-12-12 17:26 -------- d-----w- c:\program files\TESTOUT
2009-12-11 17:04 . 2009-11-20 21:07 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2009-12-09 19:32 . 2009-12-09 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson Software
2009-12-08 03:46 . 2009-12-08 03:46 -------- d-----w- c:\program files\gs
2009-12-08 03:45 . 2009-12-08 03:45 -------- d-----w- c:\program files\PlotSoft
2009-12-08 03:45 . 2009-12-08 03:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2009-12-07 17:51 . 2009-12-07 17:51 -------- d-----w- c:\documents and settings\alex\Application Data\Foxit Software
2009-12-02 00:33 . 2009-12-02 00:33 -------- d-----w- c:\documents and settings\alex\Application Data\dvdcss
2009-11-30 18:42 . 2009-11-30 19:46 -------- d-----w- c:\documents and settings\alex\Application Data\TeamViewer
2009-11-30 18:42 . 2009-11-30 18:42 -------- d-----w- c:\program files\TeamViewer
2009-11-30 18:41 . 2009-11-30 18:41 -------- d-----w- c:\documents and settings\alex\temp
2009-11-29 21:36 . 2009-11-29 21:36 -------- d-----w- c:\documents and settings\alex\Application Data\UltraVNC
2009-11-29 21:33 . 2009-11-29 21:33 20672 ----a-w- c:\windows\system32\mv2.dll
2009-11-29 21:33 . 2009-11-29 21:33 10688 ----a-w- c:\windows\system32\drivers\mv2.sys
2009-11-29 21:33 . 2009-11-30 18:38 -------- d-----w- c:\program files\UltraVNC
2009-11-28 19:22 . 2009-11-28 19:22 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-28 19:22 . 2009-11-28 19:21 -------- d-----w- c:\program files\Windows Live
2009-11-28 19:22 . 2009-12-06 18:05 -------- d-----w- c:\documents and settings\alex\Tracing
2009-11-28 19:21 . 2009-11-28 19:21 -------- d-----w- c:\program files\Microsoft
2009-11-28 19:19 . 2009-11-28 19:19 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-24 19:15 . 2009-11-24 19:16 -------- d-----w- c:\program files\Packet Tracer 5.2
2009-11-24 19:04 . 2009-11-24 19:04 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-24 19:04 . 2009-11-24 19:04 -------- d-----w- c:\program files\Reference Assemblies
2009-11-24 19:03 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2009-11-24 19:03 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-24 19:03 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-24 19:03 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-24 19:03 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-24 19:03 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-24 19:03 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-11-24 19:03 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-24 19:03 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-24 18:52 . 2009-11-24 18:52 127 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\fusioncache.dat
2009-11-24 18:51 . 2009-11-24 18:51 69632 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\NewShortcut2_12F69331DCBB46D5B4756BFD0F9048B3.exe
2009-11-24 18:51 . 2009-11-24 18:51 69632 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\NewShortcut1_12F69331DCBB46D5B4756BFD0F9048B3.exe
2009-11-24 18:51 . 2009-11-24 18:51 26694 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}\ARPPRODUCTICON.exe
2009-11-24 18:51 . 2009-11-24 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson
2009-11-24 18:51 . 2009-11-24 18:51 -------- d-----w- c:\program files\Boson Software
2009-11-24 18:50 . 2009-11-24 18:50 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\{92E7999A-2CF5-4C21-B2CA-43A2607C9436}
2009-11-24 18:47 . 2009-12-12 16:32 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\ApplicationHistory
2009-11-24 18:46 . 2009-11-24 18:46 -------- d-----w- c:\windows\system32\URTTemp
2009-11-24 06:26 . 2009-11-24 06:26 0 ----a-w- c:\windows\nsreg.dat
2009-11-24 06:25 . 2009-11-24 06:25 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Mozilla
2009-11-24 05:03 . 2008-04-13 18:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-11-24 05:03 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-24 05:03 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-24 05:03 . 2008-04-14 00:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-24 04:23 . 2009-12-16 01:47 -------- d-----w- c:\documents and settings\alex\Application Data\Apple Computer
2009-11-24 04:23 . 2009-03-20 00:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-24 04:23 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\iPod
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\iTunes
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-11-24 04:23 . 2009-11-24 04:23 -------- d-----w- c:\program files\Bonjour
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\program files\QuickTime
2009-11-24 04:22 . 2009-11-24 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Apple
2009-11-24 04:22 . 2009-11-24 04:22 -------- d-----w- c:\program files\Apple Software Update
2009-11-24 04:22 . 2009-05-29 21:36 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-11-24 04:22 . 2009-05-29 21:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-11-24 04:21 . 2009-12-16 01:46 -------- d-----w- c:\program files\Common Files\Apple
2009-11-24 04:21 . 2009-11-24 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-11-24 04:21 . 2009-12-16 01:47 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Apple Computer
2009-11-24 04:17 . 2009-11-24 06:33 -------- d-----w- C:\iPhone 3.0
2009-11-23 21:39 . 2009-11-23 21:39 8854 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\readme_DC5EDBF7D08241849400BC64FF8DD4BE.exe
2009-11-23 21:39 . 2009-11-23 21:39 40960 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\NewShortcut1_DC5EDBF7D08241849400BC64FF8DD4BE.exe
2009-11-23 21:39 . 2009-11-23 21:39 1078 ----a-r- c:\documents and settings\alex\Application Data\Microsoft\Installer\{EFBD6F61-53E8-4F5F-8B30-1BB65BAD3EE6}\ARPPRODUCTICON.exe
2009-11-23 21:39 . 2009-11-23 21:39 -------- d-----w- c:\program files\Hewlett-Packard
2009-11-22 17:44 . 2009-11-22 17:44 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-22 17:44 . 2009-11-20 21:07 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-22 17:44 . 2009-11-22 17:44 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-22 17:44 . 2009-11-22 17:44 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-22 08:57 . 2009-11-22 08:57 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-11-22 08:54 . 2009-11-22 08:54 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-11-21 23:08 . 2009-11-21 23:08 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\Ahead
2009-11-21 22:11 . 2009-11-21 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\vsosdk
2009-11-21 18:29 . 2009-11-21 18:29 -------- d-----w- c:\documents and settings\alex\Application Data\Vso
2009-11-21 18:29 . 2009-11-21 18:29 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-11-21 18:29 . 2009-11-21 18:29 47360 ----a-w- c:\documents and settings\alex\Application Data\pcouffin.sys
2009-11-21 18:29 . 2009-11-21 22:24 -------- d-----w- c:\program files\DVDFab 6
2009-11-21 17:57 . 2004-03-03 01:37 125184 ------w- c:\windows\system32\drivers\imagesrv.sys
2009-11-21 17:57 . 2004-03-03 01:37 5504 ------w- c:\windows\system32\drivers\imagedrv.sys
2009-11-21 17:57 . 2000-06-26 19:45 106496 ----a-w- c:\windows\system32\TwnLib20.dll
2009-11-21 17:57 . 2009-11-21 17:57 -------- d-----w- c:\program files\Common Files\Ahead
2009-11-21 17:57 . 2004-07-27 01:16 476320 ------w- c:\windows\system32\ImagXpr7.dll
2009-11-21 17:57 . 2004-07-27 01:16 471040 ------w- c:\windows\system32\ImagXRA7.dll
2009-11-21 17:57 . 2004-07-27 01:16 262144 ------w- c:\windows\system32\ImagXR7.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 18:27 . 2009-11-20 17:56 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-20 19:10 . 2009-11-20 17:43 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-20 18:02 . 2009-11-20 17:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-11-20 17:56 . 2009-11-20 17:56 -------- d-----w- c:\program files\Realtek
2009-11-20 17:44 . 2009-11-20 17:44 -------- d-----w- c:\program files\microsoft frontpage
2009-11-20 17:39 . 2009-11-20 17:39 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-09 03:21 . 2009-11-09 03:21 59388 ----a-w- c:\windows\system32\drivers\scdemu.sys
2009-11-06 05:16 . 2009-11-06 05:16 73728 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-10-29 07:45 . 2004-08-04 07:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 07:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 07:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 07:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-28 19:28 38208 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-16 7585792]
"nwiz"="nwiz.exe" [2006-08-16 1617920]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-13 16264192]
"FuncKey"="c:\program files\Hotkey Management\FuncKey.exe" [2006-10-09 139264]
"PowerManager"="c:\program files\Power Manager\PM.exe" [2006-10-09 151552]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-10-02 151552]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-20 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-11 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-11-18 1243088]

c:\documents and settings\alex\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-20 21:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 02:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\TESTOUT\\Cmi\\Navigator.exe"=
"c:\\Documents and Settings\\alex\\Desktop\\age\\MYTH-age2_x1.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Documents and Settings\\alex\\Desktop\\age\\Age2_x1\\age2_x1.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\age\\Age2_x1\\age2_x1.exe"=
"c:\\Program Files\\age\\MYTH-age2_x1.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [12/15/2009 1:43 PM 207792]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/20/2009 1:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/20/2009 1:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/20/2009 1:07 PM 285392]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [11/29/2009 1:33 PM 10688]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [12/15/2009 1:43 PM 359624]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {5048E9BC-F63A-4C43-B7B9-21D77E636A5D} = 68.87.85.102
FF - ProfilePath - c:\documents and settings\alex\Application Data\Mozilla\Firefox\Profiles\8smgit17.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SpySweeper - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-16 09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-12-16 09:43:22
ComboFix-quarantined-files.txt 2009-12-16 17:43

Pre-Run: 3,160,289,280 bytes free
Post-Run: 3,487,698,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /noguiboot /sos

- - End Of File - - F454DB1F479F8036AF40788D6D3BA7A0

[CatByte]

Hi,

Please do the following:


Download GMER Rootkit Scanner from here or here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[l3x]

Hi , I tried to run it couple times and both times system crashed. Is there anything that we can do from the previous reports I posted? Thanks

[CatByte]

It would appear your system may still be infected with a rootkit. I will need to verify this with the GMER program as the other logs will not show it.

Please rename the GMER program to svchost.exe and run it in safe mode.

Reboot - tap F8 repeatedly on startup till an option menu appears...arrow up to safe mode. Log on with your usual account

[l3x]

There you go.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-17 12:39:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\alex\LOCALS~1\Temp\fxtoraow.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6CAE52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6ABCDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6ABED0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6CB640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6CB8F4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6C9B44]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6CBD60]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6CB112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA6AB984]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

[l3x]

New behavior I've noticed. The browser is not redirecting me to unwanted sites most of the time after I ran combofix. I saw in its log that it removed the inst.exe file from appdata. So what happens now - most of the time- is that when I click a link from search results the browser will display an error "the webpage cannot be displayed " and it will prompt me to diagnose connection problems. When I click the diagnose button the diagnose wizard will pop up asking me to hit ok to run it and the browser will jump and display the page. This happens on most links. Other links work just fine. Another thing is that my browser will occasionally return to its original infected state and will redirect me to those unwanted sites.

[CatByte]

Hi,

Please do the following:

Flush DNS

• Go to Start > Run > type: cmd
• Press OK or Hit Enter.
• At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
• Hit Enter.
• You will get a confirmation that the flush was successful.
• Close the command box.

In I.E.

• Check internet options settings.
• Tools > Internet Options > Connections
• LAN settings
• Choose "automatically detect settings"
• uncheck both proxy settings boxes

In FireFox

• Click on Advanced -> Network -> Setttings…
• the No Proxy option should be selected

NEXT


Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
  
  • If you use Firefox browser
  • Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
It's normal after running ATF cleaner that the PC will be slower to boot the first time.


NEXT


Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

NEXT

• Please open your MalwareBytes AntiMalware Program
• Click the Update Tab and search for updates
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected. <-- very important
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

• Goored log
• MBAM Log
• Kaspersky report

[l3x]

Online scan didn't detect anything so malwarebytes. GooredFix by jpshortstuff (06.12.09.1) Log created at 11:42 on 18/12/2009 (alex) Firefox version 3.5.5 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [06:25 24/11/2009] C:\Documents and Settings\alex\Application Data\Mozilla\Firefox\Profiles\8smgit17.default\extensions\ {20a82645-c095-46ed-80e3-08825760534b} [23:37 30/11/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:46 20/11/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:05 24/11/2009] -=E.O.F=- Malwarebytes' Anti-Malware 1.42 Database version: 3386 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/18/2009 12:31:33 PM mbam-log-2009-12-18 (12-31-33).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 169471 Time elapsed: 42 minute(s), 53 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[CatByte]

How is the computer running now? Are there any more redirects? In firefox go to > Tools > Add-Ons - list out the add-ons you have in the browser.

[l3x]

No redirects but now I have the problem with "browser cannot display the page" i mentioned before. If I use FFox I get "Firefox can't find the server at newserversearch.com." I am searching the newserversearch.com keyword and I see many people face the same problem and basically the culprit is untraceable. Thanks for your time on this. I appreciate it.

[CatByte]

Hi,

You profile in FF may be corrupted. Try creating a new profile in FireFox:

see if that makes a difference:

• Close Firefox. Click 'File' and then 'Exit' to make sure the program is completely closed.
• Click 'Start' from the desktop and then 'Run.'
• Type 'firefox.exe -ProfileManager' (without the quotes) in the 'Open' text field.
• Click 'OK' to launch the Profile Manager.
• Click the 'Create Profile' button to begin using the profile creation wizard.
• Click 'Next' after reading the welcome message.
• Type a profile name in the space provided. Consider using something descriptive to help you remember what is saved in the profile.
• Click the 'Finish' button to complete the wizard.

Use Your New Profile in Firefox

• Open the Profile Manager following the instructions above.
• Browse through the list of profiles that you have created.
• Click the profile you want to use.
• Click the 'Start Firefox' button to use the selected profile.

Then Try resetting IE back to default:

http://support.microsoft.com/kb/923737

use the "Fix-It" button

[CatByte]

Hi,

I've been looking over your logs again and think I have found the culprit

Please do the following:

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Browser_Hijacked_t108908.html
Collect::
c:\windows\system32\nvwrsptby.dll

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

[CatByte]

Hi,

Please open a command window:

Go to Start > Run type cmd into the run box

now copy/paste the following into the open command window > hit enter

@echo off
schtasks /query /fo list /v | findstr /i /c:"Task To Run">log.txt
start notepad log.txt
exit
cls

Please post back the content of log.txt