Shane Posted December 3, 2008 ID:37548 Share Posted December 3, 2008 Good evening, I recently discovered I have a browser hijack. Regular symptoms- unable to update AVG, Adaware, or Spybot. unable to visit those web pages, redirected to google or amazon add sites, etc. I also am unable to install Malwarebytes from my flash drive. I am working in this thread from my backup computer so please forgive my slow response time, etc. I was able to get Hijack This installed. Below is my log. I have tried nothing more than running AVG 7.5 and 8.0, Spybot and Adaware. My virus defintions were up to date as of two weeks ago, but I am unable to update them at this time. Thank you for your assistance with this incredibly frustrating issue. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:01:03 PM, on 12/2/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATK Hotkey\Hcontrol.exeC:\Program Files\ATK Hotkey\MsgTranAgt.exeC:\Program Files\ASUS\ATK Media\DMEDIA.EXEC:\Program Files\ATKOSD2\ATKOSD2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ASUS\Power4 Gear\BatteryLife.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Synaptics\SynTP\SynAsus.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exeC:\Program Files\Cyberlink\Shared Files\brs.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exeC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeC:\Program Files\ATK Hotkey\ATKOSD.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\ATK Hotkey\WDC.exeC:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exeC:\WINDOWS\system32\svchost.exeC:\Documents and Settings\Owner\Desktop\HiJackThis.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dllO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [ATKHOTKEY] "C:\Program Files\ATK Hotkey\Hcontrol.exe"O4 - HKLM\..\Run: [MsgTranAgt] "C:\Program Files\ATK Hotkey\MsgTranAgt.exe"O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXEO4 - HKLM\..\Run: [ATKOSD2] "C:\Program Files\ATKOSD2\ATKOSD2.exe"O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll,RegisterModuleO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /backgroundO4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -uO4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenO4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifworkO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: APSHook.dll,avgrsstx.dllO20 - Winlogon Notify: OneCard - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dllO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exeO23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe--End of file - 8406 bytes Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37605 Share Posted December 3, 2008 Hi and welcome,I see you have both AVG Antispyware 7.5 & AVG 8.0 installed.Having both will likely conflict because 8.0 has both AV & antispyware.I recommend uninstalling AVG Antispyware 7.5. It will no longer be updated/supported after January 2009.HJT is not telling me much. I'd like to have a deeper look at the system.Please download DDS and save it to your desktop.Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txt Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.Attach.txt If you can't attach the second log you can copy/paste it in your reply. (it might take 2 replies to get both logs in)Please don't use any other tools unless I ask you or they may hinder our fixes.Thanks Also check your PM please in a few minutes. Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37652 Share Posted December 3, 2008 Attached please find the Optional Scan report. Below is the DDS report. Also, I uninstalled AVG 7.5 per your request. Thank you for your assistance. DDS (Version 1.0) - NTFSx86 Run by Owner at 7:58:25.48 on Wed 12/03/2008Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2544 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\System32\svchost.exe -k CognizanceC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATK Hotkey\Hcontrol.exeC:\Program Files\ATK Hotkey\MsgTranAgt.exeC:\Program Files\ASUS\ATK Media\DMEDIA.EXEC:\Program Files\ATKOSD2\ATKOSD2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ASUS\Power4 Gear\BatteryLife.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Synaptics\SynTP\SynAsus.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exeC:\Program Files\Cyberlink\Shared Files\brs.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\ATK Hotkey\ATKOSD.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\ATK Hotkey\WDC.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Owner\Application Data\U3\0AB1395171F2C9D6\LaunchPad.exeC:\Program Files\iPod\bin\iPodService.exeC:\Documents and Settings\Owner\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.comBHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dllBHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dllBHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLBHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLTB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLuRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [bitTorrent DNA] "c:\program files\dna\btdna.exe"uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hiddenuRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifworkmRun: [ATKHOTKEY] "c:\program files\atk hotkey\Hcontrol.exe"mRun: [MsgTranAgt] "c:\program files\atk hotkey\MsgTranAgt.exe"mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXEmRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModulemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exemRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exemRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /backgroundmRun: [<NO NAME>] mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -umRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllNotify: OneCard - c:\program files\asus security center\asus security protect manager\bin\ASWLNPkg.dllAppInit_DLLs: APSHook.dll,avgrsstx.dllLSA: Notification Packages = scecli ASWLNPkg============= SERVICES / DRIVERS ===============R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-16 97928]R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-16 26824]R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-16 23496]R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 875288]R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 231704]R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-16 76040]R4 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys []R4 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys []=============== Created Last 30 ================2008-12-01 13:35 0 a------- c:\windows\system32\wertyu.dll2008-12-01 13:35 0 a------- c:\windows\system32\getwn32.dll2008-12-01 13:35 0 a------- c:\windows\system32\av.exe2008-12-01 13:30 89,614 a------- c:\windows\system32\av.dat2008-11-25 17:04 256 a------- c:\windows\system32\pool.bin2008-11-25 17:03 <DIR> --d----- c:\docume~1\owner\applic~1\Research In Motion2008-11-25 16:58 <DIR> --d----- c:\program files\common files\Sonic Shared2008-11-25 16:58 <DIR> --d----- c:\program files\Roxio2008-11-25 16:55 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys2008-11-25 16:54 <DIR> --d----- c:\program files\common files\Research In Motion2008-11-25 16:53 <DIR> --d----- c:\program files\Research In Motion2008-11-25 16:48 18,468,336 a------- c:\program files\RhapsodyVcast.EXE2008-11-18 19:53 <DIR> --d----- c:\program files\BitPim2008-11-18 17:30 <DIR> --d----- c:\program files\LG Electronics2008-11-14 13:30 <DIR> --d----- C:\temp2008-11-11 17:37 98 a------- c:\windows\WirelessFTP.INI2008-11-11 17:33 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys2008-11-11 17:33 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll==================== Find3M ====================2008-12-02 20:02 <DIR> --d----- c:\docume~1\owner\applic~1\BitTorrent2008-12-02 14:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg82008-11-28 12:19 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire2008-11-14 13:12 <DIR> --d----- c:\program files\THQ2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys2008-09-14 08:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll2008-08-24 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia2008-07-15 10:10 <DIR> --d----- c:\docume~1\owner\applic~1\DNA2008-07-10 11:00 <DIR> --d----- c:\docume~1\owner\applic~1\Turbine2008-07-10 07:17 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo2008-07-04 11:07 <DIR> --d----- c:\docume~1\owner\applic~1\Electronic Arts2008-06-19 10:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe2008-06-19 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero2008-06-19 10:15 <DIR> --d----- c:\docume~1\owner\applic~1\BSplayer2008-06-19 10:12 <DIR> --d----- c:\docume~1\owner\applic~1\BSplayer Pro2008-06-09 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar2008-05-19 06:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2008-05-18 05:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\media center programs2008-05-18 03:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Funcom2008-05-17 14:14 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR2008-05-16 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft2008-05-16 06:11 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{0E8E33D8-193A-414A-A909-0F101A142D26}2008-05-13 07:13 <DIR> --d----- c:\docume~1\owner\applic~1\TMP============= FINISH: 7:58:53.96 ===============Attach.txtDDS.txtAttach.txtDDS.txt Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37655 Share Posted December 3, 2008 Thanks Shane,Other than AVG not updating it work OK?Locate if present the following file & delete it if present:C:\windows\ntbtlog.txtRestart the computerJust before the OS loading screen starts hit F8 as if going to safe mode.From the advanced boot menu choose "enable boot logging" then hit enter.Post the following file:C:\windows\ntbtlog.txtThanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37658 Share Posted December 3, 2008 Good morning, AVG/Spybot/Adaware will not update and I have a browser hack that always redirects me to google, then various add sites. I cannot type in any address in the bar, just either google or yahoo, and from there when I use the search engine I get add sites. I am working in this forum from my backup PC. Here is the log you requested. Service Pack 312 3 2008 08:45:26.375Loaded driver \WINDOWS\system32\ntkrnlpa.exeLoaded driver \WINDOWS\system32\hal.dllLoaded driver \WINDOWS\system32\KDCOM.DLLLoaded driver \WINDOWS\system32\BOOTVID.dllLoaded driver sptd.sysLoaded driver \WINDOWS\System32\Drivers\WMILIB.SYSLoaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYSLoaded driver ACPI.sysLoaded driver pci.sysLoaded driver ohci1394.sysLoaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYSLoaded driver isapnp.sysLoaded driver compbatt.sysLoaded driver \WINDOWS\system32\DRIVERS\BATTC.SYSLoaded driver pciide.sysLoaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYSLoaded driver MountMgr.sysLoaded driver ftdisk.sysLoaded driver PartMgr.sysLoaded driver ACPIEC.sysLoaded driver \WINDOWS\system32\DRIVERS\OPRGHDLR.SYSLoaded driver VolSnap.sysLoaded driver atapi.sysLoaded driver iaStor.sysLoaded driver jraid.sysLoaded driver disk.sysLoaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYSLoaded driver fltmgr.sysLoaded driver sr.sysLoaded driver PxHelp20.sysLoaded driver KSecDD.sysLoaded driver Ntfs.sysLoaded driver NDIS.sysLoaded driver Mup.sysLoaded driver JGOGO.sysLoaded driver \SystemRoot\system32\DRIVERS\intelppm.sysLoaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sysLoaded driver \SystemRoot\system32\DRIVERS\usbuhci.sysLoaded driver \SystemRoot\system32\DRIVERS\usbehci.sysLoaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sysLoaded driver \SystemRoot\system32\DRIVERS\NETw4x32.sysLoaded driver \SystemRoot\system32\DRIVERS\sdbus.sysLoaded driver \SystemRoot\system32\DRIVERS\rimmptsk.sysLoaded driver \SystemRoot\system32\DRIVERS\rimsptsk.sysLoaded driver \SystemRoot\system32\DRIVERS\rixdptsk.sysLoaded driver \SystemRoot\system32\DRIVERS\i8042prt.sysLoaded driver \SystemRoot\system32\DRIVERS\kbdclass.sysLoaded driver \SystemRoot\system32\DRIVERS\Wdf01000.sysLoaded driver \SystemRoot\system32\DRIVERS\SynTP.sysLoaded driver \SystemRoot\system32\DRIVERS\mouclass.sysLoaded driver \SystemRoot\system32\DRIVERS\imapi.sysLoaded driver \SystemRoot\system32\DRIVERS\cdrom.sysLoaded driver \SystemRoot\system32\DRIVERS\redbook.sysLoaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sysLoaded driver \SystemRoot\System32\Drivers\ahebdxlx.SYSLoaded driver \SystemRoot\system32\DRIVERS\CmBatt.sysLoaded driver \SystemRoot\system32\DRIVERS\ATKACPI.sysLoaded driver \SystemRoot\System32\Drivers\tosrfcom.sysLoaded driver \SystemRoot\system32\DRIVERS\audstub.sysLoaded driver \SystemRoot\System32\Drivers\RootMdm.sysLoaded driver \SystemRoot\System32\Drivers\Modem.SYSLoaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sysLoaded driver \SystemRoot\system32\DRIVERS\ndistapi.sysLoaded driver \SystemRoot\system32\DRIVERS\ndiswan.sysLoaded driver \SystemRoot\system32\DRIVERS\raspppoe.sysLoaded driver \SystemRoot\system32\DRIVERS\raspptp.sysLoaded driver \SystemRoot\system32\DRIVERS\msgpc.sysLoaded driver \SystemRoot\system32\DRIVERS\psched.sysLoaded driver \SystemRoot\system32\DRIVERS\ptilink.sysLoaded driver \SystemRoot\system32\DRIVERS\raspti.sysLoaded driver \SystemRoot\system32\DRIVERS\RimSerial.sysLoaded driver \SystemRoot\system32\DRIVERS\termdd.sysLoaded driver \SystemRoot\system32\DRIVERS\swenum.sysLoaded driver \SystemRoot\system32\DRIVERS\update.sysLoaded driver \SystemRoot\system32\DRIVERS\mssmbios.sysLoaded driver \SystemRoot\system32\DRIVERS\tosporte.sysLoaded driver \SystemRoot\System32\Drivers\NDProxy.SYSDid not load driver \SystemRoot\System32\Drivers\NDProxy.SYSLoaded driver \SystemRoot\system32\DRIVERS\usbhub.sysLoaded driver \SystemRoot\system32\drivers\RtkHDAud.sysLoaded driver \SystemRoot\system32\DRIVERS\smserial.sysLoaded driver \SystemRoot\system32\drivers\MODEMCSA.sysDid not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYSDid not load driver \SystemRoot\System32\Drivers\Fdc.SYSDid not load driver \SystemRoot\System32\Drivers\Flpydisk.SYSDid not load driver \SystemRoot\System32\Drivers\Sfloppy.SYSDid not load driver \SystemRoot\System32\Drivers\i2omgmt.SYSDid not load driver \SystemRoot\System32\Drivers\Changer.SYSDid not load driver \SystemRoot\System32\Drivers\Cdaudio.SYSLoaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYSLoaded driver \SystemRoot\System32\Drivers\Null.SYSLoaded driver \SystemRoot\System32\Drivers\Beep.SYSLoaded driver \SystemRoot\System32\drivers\vga.sysLoaded driver \SystemRoot\System32\Drivers\mnmdd.SYSLoaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sysLoaded driver \SystemRoot\System32\Drivers\Msfs.SYSLoaded driver \SystemRoot\System32\Drivers\Npfs.SYSLoaded driver \systemroot\system32\drivers\TDSSmhct.sysLoaded driver \SystemRoot\system32\DRIVERS\rasacd.sysLoaded driver \SystemRoot\system32\DRIVERS\ipsec.sysLoaded driver \SystemRoot\system32\DRIVERS\tcpip.sysLoaded driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\system32\DRIVERS\wanarp.sysLoaded driver \SystemRoot\system32\DRIVERS\netbt.sysLoaded driver \SystemRoot\System32\drivers\afd.sysLoaded driver \SystemRoot\system32\DRIVERS\netbios.sysDid not load driver \SystemRoot\System32\Drivers\PCIDump.SYSLoaded driver \SystemRoot\system32\DRIVERS\rdbss.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\System32\Drivers\ItSDisk.sysLoaded driver \SystemRoot\System32\Drivers\Fips.SYSLoaded driver \SystemRoot\System32\Drivers\avgmfx86.sysLoaded driver \SystemRoot\system32\DRIVERS\ATSwpDrv.sysLoaded driver \SystemRoot\system32\DRIVERS\hidusb.sysLoaded driver \SystemRoot\system32\DRIVERS\usbccgp.sysLoaded driver \SystemRoot\system32\DRIVERS\mouhid.sysLoaded driver \SystemRoot\System32\Drivers\usbvideo.sysLoaded driver \SystemRoot\System32\Drivers\avgldx86.sysLoaded driver \SystemRoot\System32\Drivers\Cdfs.SYSLoaded driver \SystemRoot\system32\DRIVERS\ndisuio.sysDid not load driver \SystemRoot\system32\DRIVERS\rdbss.sysDid not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sysLoaded driver \SystemRoot\system32\DRIVERS\mrxdav.sysDid not load driver \SystemRoot\System32\Drivers\Parport.SYSDid not load driver \SystemRoot\System32\Drivers\Serial.SYSLoaded driver \SystemRoot\system32\drivers\wdmaud.sysLoaded driver \SystemRoot\system32\drivers\sysaudio.sysLoaded driver \SystemRoot\system32\drivers\splitter.sysLoaded driver \SystemRoot\system32\drivers\aec.sysLoaded driver \SystemRoot\system32\drivers\swmidi.sysLoaded driver \SystemRoot\System32\Drivers\avgtdix.sysLoaded driver \SystemRoot\system32\drivers\DMusic.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sysLoaded driver \SystemRoot\system32\drivers\drmkaud.sysLoaded driver \SystemRoot\system32\DRIVERS\srv.sysLoaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYSLoaded driver \SystemRoot\System32\Drivers\Fastfat.SYSLoaded driver \??\C:\Program Files\CyberLink\PowerDVD8\000.fclDid not load driver \SystemRoot\system32\DRIVERS\ipnat.sysLoaded driver \SystemRoot\system32\drivers\kmixer.sys Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37665 Share Posted December 3, 2008 Hi,Thanks for the log.Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.To disable SpybotSD TeaTimer:1.) Open Spybot and click on Mode and check Advanced Mode2.) Check yes to next window.3.) Click on Tools in bottom left hand corner.4.) Click on System Startup icon.5.) Uncheck Teatimer box. (resident)6.) Click Allow Change box.7.) RebootYou can follow this link if you need help: http://russelltexas.com/malware/teatimer.htmDownload this file, save it to the desktop & run it:http://downloads.subratam.org/ResetTeaTimer.batIt will "reset" teaTimer so it forgets bad stuff that may have been allowed earlier.---------------------------------------------If you can't download ComboFix from infected computer then download it to the one you are on now & transfer it to infected one.Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 -------------------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system.Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Let me know how machine is running please.There may be more work to do so don't run away yet. Thanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37671 Share Posted December 3, 2008 I was unable to open Spybot to reset the tea timer. I also was unable to get the program to reset my tea timer to do anything as well. I was able to close out my spybot and was planning on doing a reinstall afterwards if we are able to get my system clean. Ran Combo-fix, my PC did not want to run it for several minutes, however after a resave, rename, rename in the flash drive and a prayer it took it. Below is the log. Also, combo fix noted i did not have the Windows Recovery Console. I could not connect ot the internet to download that piece so it just skipped and continued with the scan. Let me know if there is anything further you would like me to do. ComboFix 08-12-02.02 - Owner 2008-12-03 9:56:28.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2660 [GMT -5:00]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dllc:\windows\system32\av.datc:\windows\system32\av.exec:\windows\system32\drivers\TDSSmhct.sysc:\windows\system32\getwn32.dllc:\windows\system32\TDSShrsr.dllc:\windows\system32\TDSSkkbi.logc:\windows\system32\TDSSlxwp.dllc:\windows\system32\TDSSnmxh.logc:\windows\system32\TDSSorvd.datc:\windows\system32\TDSSotqh.dllc:\windows\system32\TDSSrhyp.logc:\windows\system32\TDSSriqp.dllc:\windows\system32\TDSSsihc.dllc:\windows\system32\TDSSxfum.dllc:\windows\system32\wertyu.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_TDSSSERV.SYS-------\Legacy_TDSSSERV.SYS((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))).2008-12-02 20:08 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Grisoft2008-12-02 20:04 . 2008-12-02 21:40 <DIR> d-------- c:\documents and settings\Administrator2008-12-02 18:19 . 2008-12-03 09:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\U32008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\Roxio2008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio2008-11-25 17:04 . 2008-12-02 17:06 256 --a------ c:\windows\system32\pool.bin2008-11-25 17:03 . 2008-11-25 17:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\Research In Motion2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Roxio2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Sonic Shared2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Roxio Shared2008-11-25 16:58 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio2008-11-25 16:55 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys2008-11-25 16:54 . 2008-11-25 16:54 <DIR> d-------- c:\program files\Common Files\Research In Motion2008-11-25 16:53 . 2008-11-25 16:53 <DIR> d-------- c:\program files\Research In Motion2008-11-25 16:48 . 2008-11-25 16:49 18,468,336 --a------ c:\program files\RhapsodyVcast.EXE2008-11-18 19:53 . 2008-11-18 19:54 <DIR> d-------- c:\program files\BitPim2008-11-18 17:30 . 2008-11-18 17:30 <DIR> d-------- c:\program files\LG Electronics2008-11-14 13:30 . 2008-11-25 16:55 <DIR> d-------- C:\temp2008-11-11 17:40 . 2008-11-11 17:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Toshiba2008-11-11 17:37 . 2008-11-11 17:43 98 --a------ c:\windows\WirelessFTP.INI2008-11-11 17:33 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll2008-11-11 17:33 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-12-03 01:02 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent2008-12-02 22:12 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-02 22:12 --------- d-----w c:\program files\Electronic Arts2008-12-02 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\avg82008-11-28 17:19 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire2008-11-25 21:58 --------- d-----w c:\program files\Common Files\InstallShield2008-11-14 18:12 --------- d-----w c:\program files\THQ2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]2006-10-26 11:35 391168 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-11-28 229376]"MsgTranAgt"="c:\program files\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-10-17 7737344]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-21 36864]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-16 1029416]"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-21 17920]"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-19 91432]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-25 185896]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 630784]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-21 13508608]"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 c:\windows\RTHDCPL.exe][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=APSHook.dll,avgrsstx.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli ASWLNPkg[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]@=""[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnkbackup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgemc.exe"="c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"="c:\\Program Files\\Warcraft III\\Warcraft III.exe"="c:\\Program Files\\BitTorrent\\bittorrent.exe"="c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-16 97928]R1 ItSDisk;ItSDisk;c:\windows\system32\Drivers\ItSDisk.sys [2006-05-16 23496]R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-16 76040]S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Cognizance REG_MULTI_SZ ASBroker ASChannel[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]\Shell\AutoRun\command - F:\LaunchU3.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c9d0b04-b5c0-11dd-9712-001f3b4d9d19}]\Shell\AutoRun\command - F:\USBAutoRun.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"c:\program files\Common Files\LightScribe\LSRunOnce.exe".Contents of the 'Scheduled Tasks' folder2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34].- - - - ORPHANS REMOVED - - - -HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exeHKLM-Run-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeNotify-OneCard - (no file).------- Supplementary Scan -------.FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\capxxhld.default\FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.comFF -: plugin - c:\program files\DNA\plugins\npbtdna.dllFF -: plugin - c:\program files\Download Manager\npfpdlm.dllFF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-12-03 10:00:56Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(752)c:\windows\system32\COMRes.dllc:\windows\system32\CLBCATQ.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware\aawservice.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\windows\system32\nvsvc32.exec:\program files\Synaptics\SynTP\SynAsus.exec:\program files\ATK Hotkey\ATKOSD.exec:\program files\ATK Hotkey\WDC.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\program files\iPod\bin\iPodService.exec:\program files\AVG\AVG8\avgrsx.exec:\program files\AVG\AVG8\avgrsx.exe.**************************************************************************.Completion time: 2008-12-03 10:04:41 - machine was rebootedComboFix-quarantined-files.txt 2008-12-03 15:04:39Pre-Run: 178,348,130,304 bytes freePost-Run: 178,503,204,864 bytes free214 --- E O F --- 2008-11-13 19:10:28 Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37674 Share Posted December 3, 2008 New issue as well, now unable to connect to the internet at all. Spybot will now boot up, etc. however I cannot get any program to connect to the internet. Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37682 Share Posted December 3, 2008 Still nothing on this report. Unable to go online and update AVG, Adaware, Spybot, or surf the web. Still updating this thread from my backup PC Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37686 Share Posted December 3, 2008 Hi,Reboot & try internet again please. If it works -- let me know if your AVG & such will connect to update.Can you get Spybot running to disable TeaTimer? See if you can get that disabled please.Thanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37693 Share Posted December 3, 2008 I was able to shut down TeaTimer and run the .bat file you asked. Aftwards I reran Combo-Fix and am still unable to get online to update AVG etc. Also still unable to find System Recover Console on my main PC. Below is the new log ComboFix 08-12-02.02 - Owner 2008-12-03 12:24:47.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2591 [GMT -5:00]Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exeWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 ))))))))))))))))))))))))))))))).2008-12-02 20:08 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Grisoft2008-12-02 20:04 . 2008-12-02 21:40 <DIR> d-------- c:\documents and settings\Administrator2008-12-02 18:19 . 2008-12-03 09:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\U32008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\Roxio2008-11-25 17:07 . 2008-11-25 17:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio2008-11-25 17:04 . 2008-12-02 17:06 256 --a------ c:\windows\system32\pool.bin2008-11-25 17:03 . 2008-11-25 17:03 <DIR> d-------- c:\documents and settings\Owner\Application Data\Research In Motion2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic2008-11-25 16:59 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Roxio2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Sonic Shared2008-11-25 16:58 . 2008-11-25 16:58 <DIR> d-------- c:\program files\Common Files\Roxio Shared2008-11-25 16:58 . 2008-11-25 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio2008-11-25 16:55 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys2008-11-25 16:54 . 2008-11-25 16:54 <DIR> d-------- c:\program files\Common Files\Research In Motion2008-11-25 16:53 . 2008-11-25 16:53 <DIR> d-------- c:\program files\Research In Motion2008-11-25 16:48 . 2008-11-25 16:49 18,468,336 --a------ c:\program files\RhapsodyVcast.EXE2008-11-18 19:53 . 2008-11-18 19:54 <DIR> d-------- c:\program files\BitPim2008-11-18 17:30 . 2008-11-18 17:30 <DIR> d-------- c:\program files\LG Electronics2008-11-14 13:30 . 2008-11-25 16:55 <DIR> d-------- C:\temp2008-11-11 17:40 . 2008-11-11 17:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Toshiba2008-11-11 17:37 . 2008-11-11 17:43 98 --a------ c:\windows\WirelessFTP.INI2008-11-11 17:33 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll2008-11-11 17:33 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-12-03 01:02 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent2008-12-02 22:12 --------- d--h--w c:\program files\InstallShield Installation Information2008-12-02 22:12 --------- d-----w c:\program files\Electronic Arts2008-12-02 19:29 --------- d-----w c:\documents and settings\All Users\Application Data\avg82008-11-28 17:19 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire2008-11-25 21:58 --------- d-----w c:\program files\Common Files\InstallShield2008-11-14 18:12 --------- d-----w c:\program files\THQ2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Secure Disks]@="{666C7836-A9B6-4AB4-94ED-DC238C81E925}"[HKEY_CLASSES_ROOT\CLSID\{666C7836-A9B6-4AB4-94ED-DC238C81E925}]2006-10-26 11:35 391168 -ra------ c:\program files\ASUS Security Center\ASUS Security Protect Manager\Bin\SFSShell.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 451872]"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]"ATKHOTKEY"="c:\program files\ATK Hotkey\Hcontrol.exe" [2007-11-28 229376]"MsgTranAgt"="c:\program files\ATK Hotkey\MsgTranAgt.exe" [2007-11-04 106496]"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]"ATKOSD2"="c:\program files\ATKOSD2\ATKOSD2.exe" [2007-10-17 7737344]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-21 36864]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-11-16 1029416]"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]"CognizanceTS"="c:\progra~1\ASUSSE~1\ASUSSE~1\Bin\ASTSVCC.dll" [2003-12-21 17920]"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-06-19 91432]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-25 185896]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-09-19 615696]"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-08-26 236016]"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-21 630784]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-21 13508608]"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 c:\windows\RTHDCPL.exe][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=APSHook.dll,avgrsstx.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli ASWLNPkg[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]@=""[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnkbackup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\LimeWire\\LimeWire.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgemc.exe"="c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="c:\\Program Files\\Spybot - Search & Destroy\\SDUpdate.exe"="c:\\Program Files\\Warcraft III\\Warcraft III.exe"="c:\\Program Files\\BitTorrent\\bittorrent.exe"="c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-16 97928]R1 ItSDisk;ItSDisk;c:\windows\system32\Drivers\ItSDisk.sys [2006-05-16 23496]R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 16:24:04 41456]R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336]R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-05-16 76040]S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2006-02-28 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]Cognizance REG_MULTI_SZ ASBroker ASChannel[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]\Shell\AutoRun\command - F:\LaunchU3.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c9d0b04-b5c0-11dd-9712-001f3b4d9d19}]\Shell\AutoRun\command - F:\USBAutoRun.exe[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]"c:\program files\Common Files\LightScribe\LSRunOnce.exe".Contents of the 'Scheduled Tasks' folder2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]..------- Supplementary Scan -------.FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\capxxhld.default\FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=FireFox -: prefs.js - STARTUP.HOMEPAGE - www.yahoo.comFF -: plugin - c:\program files\DNA\plugins\npbtdna.dllFF -: plugin - c:\program files\Download Manager\npfpdlm.dllFF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npff_gdm.dllFF -: plugin - c:\program files\Mozilla Firefox\plugins\npWebLaunch.dll.**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-12-03 12:28:11Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl".------------------------ Other Running Processes ------------------------.c:\program files\Lavasoft\Ad-Aware\aawservice.exec:\program files\Common Files\LightScribe\LSSrvc.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEc:\windows\system32\nvsvc32.exec:\program files\Synaptics\SynTP\SynAsus.exec:\program files\ATK Hotkey\ATKOSD.exec:\program files\ATK Hotkey\WDC.exec:\windows\system32\wdfmgr.exec:\windows\system32\wscntfy.exec:\program files\iPod\bin\iPodService.exec:\program files\AVG\AVG8\avgrsx.exec:\program files\AVG\AVG8\avgrsx.exe.**************************************************************************.Completion time: 2008-12-03 12:31:25 - machine was rebootedComboFix-quarantined-files.txt 2008-12-03 17:31:22ComboFix2.txt 2008-12-03 15:04:43Pre-Run: 178,532,163,584 bytes freePost-Run: 178,521,980,928 bytes free185 --- E O F --- 2008-11-13 19:10:28 Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37695 Share Posted December 3, 2008 Can you get online at all or is it mainly security sites, av update sites blocked? Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37696 Share Posted December 3, 2008 Now I'm unable to get online at all. yesterday I could at least get to a few sites that were already in my history. However I am now unable to go online and get AVG/Spybot updates, also I am unable to get online with either IE or Firefox. Doesn't look like I'm receiving packets when I check the status of my connection. I've done nothing since running Combo-Fix Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37697 Share Posted December 3, 2008 Can you verify for me that this file actually exist:C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ASWLNPkg.dllAlso -- Locate c:\Qoobox\Quarantine\Registry_Backups, zip it up & upload to the following site:http://www.uploadmalware.comInclude link to this thread so I know who's file it is.Thanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37699 Share Posted December 3, 2008 All files found. Uploaded to Quarantine files to the site requested above. thank you. Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37703 Share Posted December 3, 2008 Thanks.Gimme some time -- till later this afternoon. I have to go to work for a bit & will get back to you.Thanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37705 Share Posted December 3, 2008 No problem. I'll wait for your instructions. Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37710 Share Posted December 3, 2008 I have a minute or 2 to post a few more instructions..C:\qoobox\quarantined_files.txt <-- post contents of this file please.Click start> run> type regedit and hit enter.Navigate to the following key by expanding the + at left of each:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters <-- right click this key > choose exportGive it a name & save to desktop. Make no changes.Exit regedit.Zip up the reg file you just saved & attach it here.Thanks Link to post Share on other sites More sharing options...
Shane Posted December 3, 2008 Author ID:37732 Share Posted December 3, 2008 Regedit Parameters and Qoobox file attached below. Hopefully that is what you need.Registry_backups.zipParameters.zipRegistry_backups.zipParameters.zip Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37777 Share Posted December 3, 2008 Hi Shane,Thanks for the logs.Run DDS again & post the logs please.Thanks Link to post Share on other sites More sharing options...
Staff blender Posted December 3, 2008 Staff ID:37779 Share Posted December 3, 2008 I meant to ask as well..Did you ever have Daemon tools and/or Alcohol 120% installed?Let's have a look at a gmer scan too please.Download Gmer from here: http://www.gmer.net/gmer.zip Unzip it to its own folder.Disconnect from internet & shut down Antivirus to prevent conflicts. Shut down also any other unneeded apps including any open browser windows. The less stuff we got running the less chance of false positives in log. Double click gmer.exe to run it. Allow driver to install if asked (gmer.sys) You may get a warning at program start that there is possible rootkit activity and do you want to run scan. Say OK to run scan.If no warning, just click "scan". Let the scan finish. Once done press "save" In the new window that pops up, give the log a name and save it someplace handy.Press save.Re-enable your antivirus, re-connect to internet & post that log here Zip & attach if too long to post please.Thanks Link to post Share on other sites More sharing options...
Shane Posted December 4, 2008 Author ID:37796 Share Posted December 4, 2008 DDS (Version 1.0) - NTFSx86 Run by Owner at 20:18:25.76 on Wed 12/03/2008Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2512 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\System32\svchost.exe -k CognizanceC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\ATK Hotkey\Hcontrol.exeC:\Program Files\ATK Hotkey\MsgTranAgt.exeC:\Program Files\ASUS\ATK Media\DMEDIA.EXEC:\Program Files\ATKOSD2\ATKOSD2.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\ASUS\Power4 Gear\BatteryLife.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Synaptics\SynTP\SynAsus.exeC:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exeC:\Program Files\Cyberlink\Shared Files\brs.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files\ATK Hotkey\ATKOSD.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\ATK Hotkey\WDC.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Documents and Settings\Owner\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localBHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dllBHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dllBHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dllBHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLBHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dllTB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLTB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLLuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hiddenuRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifworkmRun: [ATKHOTKEY] "c:\program files\atk hotkey\Hcontrol.exe"mRun: [MsgTranAgt] "c:\program files\atk hotkey\MsgTranAgt.exe"mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXEmRun: [ATKOSD2] "c:\program files\atkosd2\ATKOSD2.exe"mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exemRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1mRun: [CognizanceTS] rundll32.exe c:\progra~1\asusse~1\asusse~1\bin\ASTSVCC.dll,RegisterModulemRun: [RTHDCPL] RTHDCPL.EXEmRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exemRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exemRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osbootmRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /backgroundmRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"mRun: [sMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exemRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -uHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dllAppInit_DLLs: APSHook.dll,avgrsstx.dllLSA: Notification Packages = scecli ASWLNPkg============= SERVICES / DRIVERS ===============R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-16 97928]R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-16 26824]R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-16 23496]R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 875288]R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 231704]R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-16 76040]S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2006-2-28 14336]=============== Created Last 30 ================2008-12-03 09:51 161,792 a------- c:\windows\SWREG.exe2008-12-03 09:51 98,816 a------- c:\windows\sed.exe2008-11-25 17:04 256 a------- c:\windows\system32\pool.bin2008-11-25 17:03 <DIR> --d----- c:\docume~1\owner\applic~1\Research In Motion2008-11-25 16:58 <DIR> --d----- c:\program files\common files\Sonic Shared2008-11-25 16:58 <DIR> --d----- c:\program files\Roxio2008-11-25 16:55 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys2008-11-25 16:54 <DIR> --d----- c:\program files\common files\Research In Motion2008-11-25 16:53 <DIR> --d----- c:\program files\Research In Motion2008-11-25 16:48 18,468,336 a------- c:\program files\RhapsodyVcast.EXE2008-11-18 19:53 <DIR> --d----- c:\program files\BitPim2008-11-18 17:30 <DIR> --d----- c:\program files\LG Electronics2008-11-14 13:30 <DIR> --d----- C:\temp2008-11-11 17:37 98 a------- c:\windows\WirelessFTP.INI2008-11-11 17:33 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys2008-11-11 17:33 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll==================== Find3M ====================2008-12-02 20:02 <DIR> --d----- c:\docume~1\owner\applic~1\BitTorrent2008-12-02 14:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg82008-11-28 12:19 <DIR> --d----- c:\docume~1\owner\applic~1\LimeWire2008-11-14 13:12 <DIR> --d----- c:\program files\THQ2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys2008-09-14 08:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll2008-08-24 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia2008-07-15 10:10 <DIR> --d----- c:\docume~1\owner\applic~1\DNA2008-07-10 11:00 <DIR> --d----- c:\docume~1\owner\applic~1\Turbine2008-07-10 07:17 <DIR> --d----- c:\docume~1\owner\applic~1\GetRightToGo2008-07-04 11:07 <DIR> --d----- c:\docume~1\owner\applic~1\Electronic Arts2008-06-19 10:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\LightScribe2008-06-19 10:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero2008-06-19 10:15 <DIR> --d----- c:\docume~1\owner\applic~1\BSplayer2008-06-19 10:12 <DIR> --d----- c:\docume~1\owner\applic~1\BSplayer Pro2008-06-09 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar2008-05-19 06:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy2008-05-18 05:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\media center programs2008-05-18 03:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Funcom2008-05-17 14:14 <DIR> --d----- c:\docume~1\owner\applic~1\AVGTOOLBAR2008-05-16 23:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft2008-05-16 06:11 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{0E8E33D8-193A-414A-A909-0F101A142D26}2008-05-13 07:13 <DIR> --d----- c:\docume~1\owner\applic~1\TMP============= FINISH: 20:18:43.23 ===============Attach2.txtAttach2.txt Link to post Share on other sites More sharing options...
Shane Posted December 4, 2008 Author ID:37798 Share Posted December 4, 2008 I do use Daemon tools occasionally, but have not in quite a while. Here is the gmer log. Please note I am still unable to connect to the internet on my main PC, still updating this thread from my spare. using flash drive to transport programs, logs, etc. GMER 1.0.14.14536 - http://www.gmer.netRootkit scan 2008-12-03 20:32:31Windows 5.1.2600 Service Pack 3---- System - GMER 1.0.14 ----SSDT spda.sys ZwCreateKey [0xBA6A80E0]SSDT spda.sys ZwEnumerateKey [0xBA6C6CA2]SSDT spda.sys ZwEnumerateValueKey [0xBA6C7030]SSDT spda.sys ZwOpenKey [0xBA6A80C0]SSDT spda.sys ZwQueryKey [0xBA6C7108]SSDT spda.sys ZwQueryValueKey [0xBA6C6F88]SSDT spda.sys ZwSetValueKey [0xBA6C719A]INT 0x62 ? 8AF4DBF8INT 0x73 ? 8A316BF8INT 0x74 ? 8A316BF8INT 0x83 ? 8AEDDBF8INT 0x83 ? 8A316BF8INT 0x94 ? 8A316BF8INT 0xA4 ? 8AEDABF8INT 0xB4 ? 8A316BF8---- Kernel code sections - GMER 1.0.14 ----? spda.sys The system cannot find the file specified. !.text USBPORT.SYS!DllUnload B8A658AC 5 Bytes JMP 8A3161D8 .text ajl2aq0a.SYS B791F384 1 Byte [ 20 ].text ajl2aq0a.SYS B791F386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ].text ajl2aq0a.SYS B791F3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ].text ajl2aq0a.SYS B791F3C4 3 Bytes [ 00, 00, 00 ].text ajl2aq0a.SYS B791F3C9 1 Byte [ 00 ].text ... ---- Kernel IAT/EAT - GMER 1.0.14 ----IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [bA6A9040] spda.sysIAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [bA6A913C] spda.sysIAT atapi.sys[HAL.dll!READ_PORT_USHORT] [bA6A90BE] spda.sysIAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [bA6A97FC] spda.sysIAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [bA6A96D2] spda.sysIAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [bA6B9048] spda.sysIAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KfAcquireSpinLock] 000000ADIAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KeGetCurrentIrql] 000000A2IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KfRaiseIrql] 000000AFIAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KfLowerIrql] 0000009CIAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!HalGetInterruptVector] 000000A4IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!HalTranslateBusAddress] 00000072IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!KfReleaseSpinLock] 000000B7IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FDIAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!READ_PORT_USHORT] 00000093IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[WMILIB.SYS!WmiSystemControl] 000000F7IAT \SystemRoot\System32\Drivers\ajl2aq0a.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC---- Devices - GMER 1.0.14 ----Device \FileSystem\Ntfs \Ntfs 8AF4B1F8Device \FileSystem\Fastfat \FatCdrom 86E361F8Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)Device \Driver\usbuhci \Device\USBPDO-0 8A3AC4D8Device \Driver\usbuhci \Device\USBPDO-1 8A3AC4D8Device \Driver\usbehci \Device\USBPDO-2 8A3001F8Device \Driver\NetBT \Device\NetBT_Tcpip_{750A8CF4-0896-4D5B-AAC6-28E612F9665C} 89E8A368Device \Driver\usbuhci \Device\USBPDO-3 8A3AC4D8Device \Driver\usbuhci \Device\USBPDO-4 8A3AC4D8Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device \Driver\usbehci \Device\USBPDO-5 8A3001F8Device \Driver\usbuhci \Device\USBPDO-6 8A3AC4D8Device \Driver\USBSTOR \Device\000000a3 89EAD500Device \Driver\Ftdisk \Device\HarddiskVolume1 8AEDB1F8Device \Driver\Ftdisk \Device\HarddiskVolume2 8AEDB1F8Device \Driver\Cdrom \Device\CdRom0 8A1F31F8Device \Driver\USBSTOR \Device\000000a4 89EAD500Device \Driver\Cdrom \Device\CdRom1 8A1F31F8Device \Driver\USBSTOR \Device\000000a5 89EAD500Device \Driver\Cdrom \Device\CdRom5 8A1F31F8Device \Driver\NetBT \Device\NetBt_Wins_Export 89E8A368Device \Driver\NetBT \Device\NetbiosSmb 89E8A368Device \Driver\PCI_PNP1688 \Device\0000004c spda.sysDevice \Driver\sptd \Device\219560438 spda.sysDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device \Driver\usbuhci \Device\USBFDO-0 8A3AC4D8Device \Driver\usbuhci \Device\USBFDO-1 8A3AC4D8Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A07E368Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)Device \Driver\usbehci \Device\USBFDO-2 8A3001F8Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A07E368Device \Driver\usbuhci \Device\USBFDO-3 8A3AC4D8Device \Driver\usbuhci \Device\USBFDO-4 8A3AC4D8Device \Driver\Ftdisk \Device\FtControl 8AEDB1F8Device \Driver\usbuhci \Device\USBFDO-5 8A3AC4D8Device \Driver\usbehci \Device\USBFDO-6 8A3001F8Device \Driver\ajl2aq0a \Device\Scsi\ajl2aq0a1 8A19A1F8Device \Driver\JRAID \Device\Scsi\JRAID1 8AF4C1F8Device \Driver\ajl2aq0a \Device\Scsi\ajl2aq0a1Port3Path0Target0Lun0 8A19A1F8Device \FileSystem\Fastfat \Fat 86E361F8AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)Device \FileSystem\Cdfs \Cdfs 89E8C500---- Registry - GMER 1.0.14 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2C 0x60 0x1A 0x23 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x21 0x91 0x8C 0xC2 ...Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0F 0x2E 0x71 0x7A ...Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2C 0x60 0x1A 0x23 ...Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x21 0x91 0x8C 0xC2 ...Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x46 0xD2 0xF6 0x9E ...Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2C 0x60 0x1A 0x23 ...Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x21 0x91 0x8C 0xC2 ...Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0F 0x2E 0x71 0x7A ...---- EOF - GMER 1.0.14 ---- Link to post Share on other sites More sharing options...
Shane Posted December 4, 2008 Author ID:37811 Share Posted December 4, 2008 on reboot, AVG just found a Trojan. Not sure if this is anything you didn't expect, just thought it might be handy to know. Path is belowC:\ System Volume Info\_restore{0887183D-FDEF-4FEE-A552-62C0B1FA5BE6}-\RP149\A0054699.sysC:\ System Volume Info\_restore{0887183D-FDEF-4FEE-A552-62C0B1FA5BE6}-\RP149\A00547000.dll Link to post Share on other sites More sharing options...
Shane Posted December 4, 2008 Author ID:37891 Share Posted December 4, 2008 PLease advise status, still pulling Trojan virus and still unable to connect to the internet on main pc. Link to post Share on other sites More sharing options...
Recommended Posts