Solved Malware infection - please help!

[alchemist]

Hi there,

I recently managed to aquire some kind of malware infection on my girlfriend's computer...

It came up originally as "Antimalware Doctor" and "XP defender". I tried to follow some online instructions for removal, using MBAM, but this closed as soon as i pressed "OK" at the end of the scan, without letting me clean up.

The malware seemingly prevented access to safer-networking.com, making downloading spybot difficult, though I managed to get it in the end. Then it wouldn't update, and wouldn't scan without updating, so I got a friend to send the update file over. I managed to scan it, and it seemed to find a lot of stuff and clean it up.

Then I tried to install avast!, and disable the copy of McAfee obtained from University - I wanted to have more control over the setting, as the uni copy setting were fixed. I installed avast!, but it said the trial period had ended as soon as I installed it (even though I downloaded the free one), and I couldn't register or update at all. I tried to uninstall using add/remove programs, then using Zsoft uninstaller (which was on the system already) then tried to download the uninstall file from the avast website, but the first two didn't even show up avast as present on the system, and i can't access the download from the website at all...

Then I installed avira, which seems to be ok.

Then, something called "XP antimalware" appeared, and I repeated the spybot scan and avira scan, and removed the threats found, but I still seem to be having problems...

So, here are the symptoms:

Diversion of google search results.

Random opening of web pages.

System restore blocked

Microsoft office won't open

Can't Download latest IE from microsoft, have only go IE5 on computer so can't update things with it

Can't uninstall avast!

And that's all I can think of right now - I have used Hijackthis and tried to remove one or two BHO's, but they persist...


Sorry for going on a bit, and thanks so much for your help!

 

[choseninvisible]

i had a malware infection but it easy to get rid off and don't need a new hard drive just try this software it should do the work

http://www.stopzilla.com/products/s...d=Malware_DL&gclid=CP3O67SQpKECFQ-Y2AodnCh6yA

 

[Bobbye]

Welcome to TechSpot, alchemist. I'll help with the malware.

Please ignore the Stopzilla suggestion- it is not appropriate.

Please follow these steps in out Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs in your next reply for review.

Please do not run any other cleaning or scanning programs while I am helping you, unless I instruct you to. Do not use a Registry cleaner or make any Registry changes.

 

[alchemist]

Hi Bobbye,

Thanks very much for your help - it may take a while for me to post the logs as they are on a computer a few hundred miles away right now - will do my best to be timely though!

Thanks again!

 

[Bobbye]

Okay, whenever. Best I have all the logs together on same post if you can.

 

[alchemist]

Avira

Couldn't manage to run Malwarebyte's anti-malaware. I did run Spybot, but couldn't locate the log. Also include the hijack this log. Hope this is ok.


Avira AntiVir Personal
Report file date: 26 April 2010 20:03

Scanning for 2042040 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : YOUR-447023AE6B

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 19/04/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 01/04/2010 12:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 01/04/2010 12:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 07/03/2010 18:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 10/02/2010 23:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 06/11/2009 09:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 19/11/2009 19:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 20/01/2010 17:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 26/01/2010 16:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 05/03/2010 11:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 15/04/2010 00:41:49
VBASE006.VDF : 7.10.6.83 2048 Bytes 15/04/2010 00:41:49
VBASE007.VDF : 7.10.6.84 2048 Bytes 15/04/2010 00:41:49
VBASE008.VDF : 7.10.6.85 2048 Bytes 15/04/2010 00:41:49
VBASE009.VDF : 7.10.6.86 2048 Bytes 15/04/2010 00:41:49
VBASE010.VDF : 7.10.6.87 2048 Bytes 15/04/2010 00:41:49
VBASE011.VDF : 7.10.6.88 2048 Bytes 15/04/2010 00:41:50
VBASE012.VDF : 7.10.6.89 2048 Bytes 15/04/2010 00:41:50
VBASE013.VDF : 7.10.6.90 2048 Bytes 15/04/2010 00:41:50
VBASE014.VDF : 7.10.6.123 126464 Bytes 19/04/2010 00:41:50
VBASE015.VDF : 7.10.6.152 123392 Bytes 21/04/2010 00:41:51
VBASE016.VDF : 7.10.6.178 122880 Bytes 22/04/2010 00:41:51
VBASE017.VDF : 7.10.6.179 2048 Bytes 22/04/2010 00:41:51
VBASE018.VDF : 7.10.6.180 2048 Bytes 22/04/2010 00:41:51
VBASE019.VDF : 7.10.6.181 2048 Bytes 22/04/2010 00:41:51
VBASE020.VDF : 7.10.6.182 2048 Bytes 22/04/2010 00:41:51
VBASE021.VDF : 7.10.6.183 2048 Bytes 22/04/2010 00:41:51
VBASE022.VDF : 7.10.6.184 2048 Bytes 22/04/2010 00:41:51
VBASE023.VDF : 7.10.6.185 2048 Bytes 22/04/2010 00:41:52
VBASE024.VDF : 7.10.6.186 2048 Bytes 22/04/2010 00:41:52
VBASE025.VDF : 7.10.6.187 2048 Bytes 22/04/2010 00:41:52
VBASE026.VDF : 7.10.6.188 2048 Bytes 22/04/2010 00:41:52
VBASE027.VDF : 7.10.6.189 2048 Bytes 22/04/2010 00:41:52
VBASE028.VDF : 7.10.6.190 2048 Bytes 22/04/2010 00:41:52
VBASE029.VDF : 7.10.6.191 2048 Bytes 22/04/2010 00:41:52
VBASE030.VDF : 7.10.6.192 2048 Bytes 22/04/2010 00:41:52
VBASE031.VDF : 7.10.6.203 120320 Bytes 26/04/2010 15:23:02
Engineversion : 8.2.1.224
AEVDF.DLL : 8.1.2.0 106868 Bytes 25/04/2010 00:41:58
AESCRIPT.DLL : 8.1.3.27 1294714 Bytes 25/04/2010 00:41:58
AESCN.DLL : 8.1.5.0 127347 Bytes 25/02/2010 18:38:41
AESBX.DLL : 8.1.3.1 254324 Bytes 25/04/2010 00:41:58
AERDL.DLL : 8.1.4.6 541043 Bytes 25/04/2010 00:41:57
AEPACK.DLL : 8.2.1.1 426358 Bytes 19/03/2010 12:34:51
AEOFFICE.DLL : 8.1.0.41 201083 Bytes 17/03/2010 11:09:46
AEHEUR.DLL : 8.1.1.24 2613623 Bytes 25/04/2010 00:41:56
AEHELP.DLL : 8.1.11.3 242039 Bytes 01/04/2010 16:05:25
AEGEN.DLL : 8.1.3.7 373106 Bytes 25/04/2010 00:41:54
AEEMU.DLL : 8.1.2.0 393588 Bytes 25/04/2010 00:41:53
AECORE.DLL : 8.1.13.1 188790 Bytes 01/04/2010 16:05:25
AEBB.DLL : 8.1.1.0 53618 Bytes 25/04/2010 00:41:53
AVWINLL.DLL : 10.0.0.0 19304 Bytes 14/01/2010 12:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 14/01/2010 12:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 18/02/2010 16:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 01/04/2010 12:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 01/04/2010 12:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 01/04/2010 12:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 26/01/2010 09:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 28/01/2010 12:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 16/03/2010 15:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 19/02/2010 14:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 28/01/2010 13:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 09/04/2010 14:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +PFS,

Start of the scan: 26 April 2010 20:03

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\RNG\seed
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwfilesscanned
[NOTE] The registry entry is invisible.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\type
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\start
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\errorcontrol
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\group
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\group
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\spc3m7q
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\yvnf4xy6
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mugcvmlh\mih8gj2e7
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\type
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\start
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\errorcontrol
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\spc3m7q
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\yvnf4xy6
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mugcvmlh\mih8gj2e7
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'vssvc.exe' - '39' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'AVCENTER.EXE' - '59' Module(s) have been scanned
Scan process 'wlcomm.exe' - '68' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'SeaPort.exe' - '43' Module(s) have been scanned
Scan process 'HPZIPM12.EXE' - '24' Module(s) have been scanned
Scan process 'naPrdMgr.exe' - '34' Module(s) have been scanned
Scan process 'soffice.bin' - '82' Module(s) have been scanned
Scan process 'vstskmgr.exe' - '47' Module(s) have been scanned
Scan process 'soffice.exe' - '20' Module(s) have been scanned
Scan process 'mcshield.exe' - '60' Module(s) have been scanned
Scan process 'ave.exe' - '48' Module(s) have been scanned
Scan process 'C&WWLAN.EXE' - '34' Module(s) have been scanned
Scan process 'FrameworkService.exe' - '69' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '19' Module(s) have been scanned
Scan process 'ALCWZRD.EXE' - '29' Module(s) have been scanned
Scan process 'jqs.exe' - '34' Module(s) have been scanned
Scan process 'APDPROXY.EXE' - '39' Module(s) have been scanned
Scan process 'AVGNT.EXE' - '50' Module(s) have been scanned
Scan process 'HPZTSB08.EXE' - '22' Module(s) have been scanned
Scan process 'MSNMSGR.EXE' - '138' Module(s) have been scanned
Scan process 'HPSYSDRV.EXE' - '18' Module(s) have been scanned
Scan process 'SSAAD.EXE' - '26' Module(s) have been scanned
Scan process 'TEATIMER.EXE' - '29' Module(s) have been scanned
Scan process 'UPDATERUI.EXE' - '35' Module(s) have been scanned
Scan process 'TBMON.EXE' - '20' Module(s) have been scanned
Scan process 'KBD.EXE' - '52' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '24' Module(s) have been scanned
Scan process 'SHSTAT.EXE' - '33' Module(s) have been scanned
Scan process 'IGFXPERS.EXE' - '26' Module(s) have been scanned
Scan process 'HKCMD.EXE' - '25' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned
Scan process 'spoolsv.exe' - '64' Module(s) have been scanned
Scan process 'AvastSvc.exe' - '67' Module(s) have been scanned
Scan process 'Explorer.EXE' - '104' Module(s) have been scanned
Scan process 'svchost.exe' - '43' Module(s) have been scanned
Scan process 'svchost.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '174' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '55' Module(s) have been scanned
Scan process 'avshadow.exe' - '30' Module(s) have been scanned
Scan process 'avguard.exe' - '60' Module(s) have been scanned
Scan process 'lsass.exe' - '62' Module(s) have been scanned
Scan process 'services.exe' - '55' Module(s) have been scanned
Scan process 'winlogon.exe' - '64' Module(s) have been scanned
Scan process 'csrss.exe' - '14' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '2450' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155338-870.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155502-111.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155548-893.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163821-856.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163911-226.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-211321-352.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213142-366.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213348-240.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100425-195501-891.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
C:\WINDOWS\system32\drivers\mugcvmlh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000980.tmp
[DETECTION] Is the TR/Meredrop.A.8358 Trojan
C:\WINDOWS\system32\spool\prtprocs\w32x86\000025b5.tmp
[DETECTION] Is the TR/Meredrop.A.8358 Trojan
Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:
C:\WINDOWS\system32\spool\prtprocs\w32x86\000025b5.tmp
[DETECTION] Is the TR/Meredrop.A.8358 Trojan
[NOTE] The file was moved to the quarantine directory under the name '46995e73.qua'.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000980.tmp
[DETECTION] Is the TR/Meredrop.A.8358 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5e0e71d4.qua'.
C:\WINDOWS\system32\drivers\mugcvmlh.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '0c682149.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100425-195501-891.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '6a5b6506.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213348-240.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '2fdf4838.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-213142-366.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '50c47a59.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-211321-352.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '1c7c5613.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163911-226.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '60641643.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-163821-856.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d3e390e.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155548-893.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '54560294.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155502-111.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '380a2ea4.qua'.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\backups\backup-20100424-155338-870.dll
[DETECTION] Is the TR/Ertfor.B.30 Trojan
[NOTE] The file was moved to the quarantine directory under the name '49b31731.qua'.


End of the scan: 26 April 2010 21:42
Used time: 1:38:49 Hour(s)

The scan has been done completely.

11268 Scanned directories
676838 Files were scanned
12 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
12 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
676826 Files not concerned
15172 Archives were scanned
0 Warnings
11 Notes
575462 Objects were scanned with rootkit scan
17 Hidden objects were found

 

[alchemist]

Hijack this

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:53:56, on 27/04/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM32\HKCMD.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\SHSTAT.EXE
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.0\APPS\APDPROXY.EXE
C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
C:\WINDOWS\SYSTEM32\IGFXPERS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGNT.EXE
C:\PROGRAM FILES\CABLE&WIRELESS\C&W_802.11G_UTILITY\C&WWLAN.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB08.EXE
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.bin
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\hh.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\WINDOWS\hh.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
O2 - BHO: C:\WINDOWS\system32\nizv3i.dll - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\nizv3i.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Cable & Wireless 11g Wireless USB.lnk = C:\Program Files\Cable&Wireless\C&W_802.11g_Utility\C&WWLAN.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?8f3cee86c6194798af5898b27da23199
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?8f3cee86c6194798af5898b27da23199
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B0DC64E-DAAA-4C9C-8844-8A365B79F4A9}: NameServer = 93.188.162.37,93.188.166.126
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3206333-EAFE-4F0C-8581-7076D885B94A}: NameServer = 93.188.162.37,93.188.166.126
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.37,93.188.166.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: kjsfi8sjefiuoshiefyhiusdhfdf - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\nizv3i.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

--
End of file - 9812 bytes

 

[alchemist]

DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by HP_Owner at 7:55:56.90 on 27/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1015.310 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\SHSTAT.EXE
C:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\MSNMSGR.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.0\APPS\APDPROXY.EXE
C:\PROGRA~1\SONY\SONICS~1\SSAAD.EXE
C:\WINDOWS\SYSTEM32\IGFXPERS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\PROGRAM FILES\AVIRA\ANTIVIR DESKTOP\AVGNT.EXE
C:\PROGRAM FILES\CABLE&WIRELESS\C&W_802.11G_UTILITY\C&WWLAN.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\COMMON FILES\NETWORK ASSOCIATES\TALKBACK\TBMON.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZTSB08.EXE
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.exe
C:\PROGRAM FILES\OPENOFFICE.ORG 3\PROGRAM\soffice.bin
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/news
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\nizv3i.dll: {a2ba40a0-74f1-52bd-f411-00b15a2c8953} - c:\windows\system32\nizv3i.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\tbmon.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cable&~1.lnk - c:\program files\cable&wireless\c&w_802.11g_utility\C&WWLAN.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/229?8f3cee86c6194798af5898b27da23199
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-gb\msntabres.dll.mui/230?8f3cee86c6194798af5898b27da23199
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
TCP: NameServer = 93.188.162.37,93.188.166.126
TCP: {7B0DC64E-DAAA-4C9C-8844-8A365B79F4A9} = 93.188.162.37,93.188.166.126
TCP: {B3206333-EAFE-4F0C-8581-7076D885B94A} = 93.188.162.37,93.188.166.126
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\nizv3i.dll: {a2ba40a0-74f1-52bd-f411-00b15a2c8953} - c:\windows\system32\nizv3i.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\5kchrwyl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-24 162768]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-25 11608]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-8-4 58464]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-25 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-25 267432]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-25 60936]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-8-4 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\vstskmgr.exe [2004-9-22 28672]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-8-4 108480]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-24 40384]
S3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\drivers\PLCND532.sys [2008-3-5 26656]
S3 Start BT in service;Start BT in service;c:\program files\ivt corporation\bluesoleil\StartSkysolSvc.exe [2007-4-21 52080]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2006-9-2 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2006-9-2 85696]
S3 ZD1211U(Cable & Wireless);Cable & Wireless 802.11g Series Wireless LAN USB(Cable & Wireless);c:\windows\system32\drivers\ZD1211U.sys [2007-12-17 259584]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2007-12-17 19200]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
S4 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-24 64288]
S4 opxi;opxi;c:\windows\system32\drivers\pdmqf.sys [2010-4-24 54016]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2010-04-26 10:09:27 0 d-----w- c:\docume~1\hp_owner\applic~1\OpenOffice.org
2010-04-26 09:49:22 0 d-----w- c:\program files\JRE
2010-04-26 09:48:48 0 d-----w- c:\program files\OpenOffice.org 3
2010-04-25 13:52:43 0 d-----w- c:\windows\pss
2010-04-25 00:46:19 0 d-----w- c:\docume~1\hp_owner\applic~1\Avira
2010-04-25 00:39:13 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-25 00:39:13 0 d-----w- c:\program files\Avira
2010-04-25 00:39:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-24 20:46:36 0 ----a-w- C:\IE8-WindowsXP-x86-ENU.exe
2010-04-24 20:05:17 610 ----a-w- C:\unhookexec.inf
2010-04-24 19:44:35 1341 ----a-w- C:\regtools.vbs
2010-04-24 19:22:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-24 18:56:44 0 d-----w- c:\program files\CCleaner
2010-04-24 14:59:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-24 14:58:30 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-24 14:24:03 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-24 14:24:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-24 14:15:08 54016 ----a-w- c:\windows\system32\drivers\pdmqf.sys
2010-04-24 13:07:19 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes
2010-04-24 13:07:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-24 12:51:18 161280 ----a-w- c:\windows\Jgyxub.exe
2010-04-24 12:43:34 49664 ----a-w- c:\windows\system32\pragmabbr.dll
2010-04-24 12:43:27 49664 ----a-w- c:\windows\system32\pragmaserf.dll
2010-04-24 12:43:25 0 d-----w- c:\docume~1\hp_owner\applic~1\Smart-Ads-Solutions
2010-04-24 12:43:24 0 d-----w- c:\docume~1\hp_owner\applic~1\ezLife
2010-04-24 12:43:22 0 d-----w- c:\windows\PRAGMAecrjibapuy
2010-04-24 12:42:57 48272 ----a-w- c:\windows\system32\wjcqmdkppln.exe
2010-04-24 12:42:56 823808 ----a-w- c:\windows\system32\drivers\mugcvmlh.sys
2010-04-24 12:42:53 0 d-----w- c:\program files\Smart-Ads-Solutions
2010-04-24 12:42:40 0 d-----w- c:\program files\ezLife
2010-04-24 12:42:28 161280 ----a-w- c:\windows\Jgyxua.exe
2010-04-24 12:42:12 0 d-----w- c:\docume~1\hp_owner\applic~1\D7456CDA39810E664ECE973CF6226D01
2010-04-17 17:08:28 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-15 10:58:44 384512 ----a-w- c:\windows\system32\iskwdghfkwv.dll

==================== Find3M ====================

2010-04-26 23:56:00 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-04-26 23:56:00 36352 ----a-w- c:\windows\system32\dllcache\disk.sys
2010-04-26 09:47:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-23 16:17:23 46564 ----a-w- c:\docume~1\hp_owner\applic~1\wklnhst.dat
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 08:02:04 417792 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-03-10 05:21:20 1506304 ----a-w- c:\windows\system32\dllcache\shdocvw.dll
2010-03-10 05:21:13 1023488 ----a-w- c:\windows\system32\dllcache\browseui.dll
2010-02-25 10:53:09 18432 ----a-w- c:\windows\system32\dllcache\iedw.exe
2010-02-24 12:31:30 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:19:55 2181376 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 13:17:38 2137088 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 12:39:04 2058368 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 12:39:04 2016768 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-12 04:47:05 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01:43 226880 ----a-w- c:\windows\system32\dllcache\tcpip6.sys
2006-05-21 19:12:27 22 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 7:57:37.62 ===============

 

[alchemist]

GMER and attach

Here are the final two logs. Many thanks for your help.

 

[Bobbye]

The system has three antivirus programs running. Please remove two of them- keep only one. I am including tools to help with the uninstalls. Get only the two you're removing:
Avast Removal
McAfee Removal
To uninstall Avira:

• Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
• Choose the Avira program.
• Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
• Press Yes, to confirm the removal and then OK.
• . Click Next until Finish. The software is removed.

Multiple AV programs can make a system more vulnerable, not less and it can also slow the system down.
==============================================
Additionally, there is a fake AV program running here: Malwarebytes should remove it:
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\ave.exe

And there is a Rootkit. So we start here:
======================================
Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v

• This will have the program write a detailed log
• The screen will resemble this black screen:

• If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
• After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
• You should get a screen like this:

• A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
• Follow the prompts and attach the report to your next reply.

===============================
Please download ComboFix from Herehttps://www.techspot.com/downloads/5587-combofix.html and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

It's important you run only those programs I ask you to run and then only when I request them. I didn't need HJT yet, but you do need to run Malwarebytes. Please do not use any other cleaning or scanning programs while I'm helping you. Don't use a Registry cleaner or make any changes in the Registry.

This system is badly infected. It's going to take some work. All of the cleaning tools will be removed when we're through.

 

[alchemist]

Hi,

Thanks very much for your reply.

I've got a couple of issues here...

Firstly, one of the problems is that we can't remove avast, though I have now downloaded the removal tool on another computer, so hopefully this will work.

Secondly, While we did run malwarebytes originally (at the advice from another site when we first noticed the problems) it will no longer run on the system. Is there a way around this - perhaps a portable version? I can't seem to find one...

Finally, when I did run malwarebytes, it went through the scan ok, but at the end it had a box with an "OK" button to say that the scan had finished, but as soon as I clicked it the program closed down, without allowing me to clean the system... Is there anything we can do about this?

Thanks again for your help!

 

[Bobbye]

Why can't you remove Avast? what happens when you try to do it? Did you boot into Safe Mode to run the tool? Try that.

For the Malwarebytes problem: Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. If it still doesn't work, uninstall the present Mbam and download, save and run it again, being sure to check the section to remove what it finds.

Once done, try running a scan again

 

[alchemist]

Latest logs

Thanks for your help again. I attach the logs - with a bit of work I managed to remove the redundant virus software and malwarebytes seemed to work also.

 

[Bobbye]

Good start! Why I wanted you to run Malwarebytes:
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 10
Folders Infected: 9
Files Infected: 13

Why I wanted you to run the TDSSKKiller:
Driver "atapi" infected by TDSS rootkit!
===================
Now we make sure that all the bad stuff has been found and removed. Before you run the Combofix script, you must disable all of the running security- not just the AV. It means Spybot, AdAware, Avira and TeaTimer:
Ad-Aware AE Ad-Watch Live!(IF you have paid AdAware)

• Right click on the Ad-Aware icon in the system tray.
  
• Click on Disable Ad-Watch Live!
• (Once you are clean, you can re-enable Ad-Watch Live! by clicking on Enable Ad-Watch Live!.)

• Right click the TeaTimer icon in the system Tray
  
• Then click Exit Spybot-S&D Resident
• (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

================================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\\Program Files\\uTorrent\\uTorrent.exe
c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe
c:\documents and settings\HP_Owner\Application Data\uTorrent
c:\\Program Files\\BitLord\BitLord.exe
Folder::
c:\program files\uTorrent
c:\\Program Files\\BitLord
Registry::

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
You can restart the security programs when finished.
====================
Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will have you remove all of the cleaning tools when we're finished. I will need a scan with HijackThis if you'd like to do that now also:

Please download HijackThis HERE.

1. Save it to a permanent folder (such as C:\HJT).
2. Open HijackThis, and select Do a system scan and save a logfile.
3. A Notepad document will open. Please post the contents of that document.

Edit: Forgot to mention this: I noticed this was done 2010-04-24 19:44 C:\regtools.vbs>> It's a script download to Disable/Enable Registry Editing tools in Windows>> Did you add this? Date is shown.

 

[alchemist]

latest logs

Attached are the latest logs. The registry change on the date you mentioned was done by me, before I got in contact with techspot. Many thanks.

 

[Bobbye]

My apology for the delay.
I had BitLord removed in the script. When it was removed, it also put all the music downloads in quarantine- I should have given you the option first, whether you wanted to remove the file sharing programs and downloads.

So I'm asking you now. Open the last Combofix report and view the music that was removed. IF you want it restored, I will try to remove it from quarantine back in to your system. There is a chance that some or any of the files could contain malware and while that has been removed, it could reinfect the system. But I can't pick and choose- so it's all or nothing. Please let me know .

Sometimes, in trying to help get a system back into good shape, I make a decision on my own when I should have consulted the owner first.

 

[alchemist]

Hi there,

No problem - not bothered about the downloads, can't even remember what they were!

Cheers!

 

[Bobbye]

Okay then. How is the system running? You should have picked up some speed. The original issues were:

Diversion of google search results.
Random opening of web pages.
System restore blocked.
Microsoft office won't open.
Can't Download latest IE from microsoft, have only go IE5 on computer so can't update things with it.
Can't uninstall avast!

Do any remain? Are there any new problems? IF not, the system is now clean and you can:
Remove all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Let me know if you have any problem setting the new, clean restore point.

 

[alchemist]

Thanks

Thanks very much for all your help - everything seems back to normal now, and I have managed to clean up the tools we used, and set a new system restore point. Thanks again!

 

[Bobbye]

You're welcome. Glad to help. Here's some tips to help keep the system clean:

Please follow these simple steps to keep your computer clean and secure:

1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. .