Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
5 Posts
Discussion Starter · #1 ·
Hi there everyone, i have had real problems recently with cliccker.cn taking over my browser. It redirects to various search sites on opera and IE.

I am using XP, and a Samsung Nc10 with 1GB RAM.

Also i have tried malwarebytes, spybot, avg, it gets removes but returns back after a reboot, this is very annoying.

It has totally stopped my internet acces sometimes.

Finally i sometimes get a system warning from windowsNt about services.exe, it says that your system will be shutdown, it then counts down and shuts down.

I will be posting the dds log and attaching the attach.zip and ark,txt as advised in the next post.

I really hope somenone can help as this rootkit is causing mayhem by removing my system restore points and disabling my avg and zonealarm, it also stops me downloadinbg programs

Hope you can help... thanks in advance

Cheers
Sam
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #2 ·
DDS (Ver_09-07-30.01) - NTFSx86
Run by samad at 22:10:37.81 on 25/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.291 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\windows\system32\svchost -k rpcss
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost -k DcomLaunch
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\FreeOTFE\FreeOTFE.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\windows\System32\svchost.exe -k HTTPFilter
svchost.exe C:\windows\TEMP\VRT2.tmp
C:\Program Files\Opera\opera.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe C:\windows\TEMP\VRT27.tmp
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\rundll32.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\samad\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = hxxp://www.google.co.uk
uStart Page = hxxp://www.google.co.uk
uSearch Page = hxxp://www.google.co.uk
uSearch Bar = hxxp://www.google.co.uk
uDefault_Search_URL = hxxp://www.google.co.uk
uDefault_Page_URL = hxxp://www.google.co.uk
mDefault_Page_URL = hxxp://www.google.co.uk
mDefault_Search_URL = hxxp://www.google.co.uk
mSearch Page = hxxp://www.google.co.uk
mLocal Page = hxxp://www.google.co.uk
mStart Page = hxxp://www.google.co.uk
mSearch Bar = hxxp://www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.co.uk
mSearchAssistant = hxxp://www.google.co.uk
mCustomizeSearch = hxxp://www.google.co.uk
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SkinClock] c:\program files\free desktop clock\DesktopClock.exe
mRun: [services] c:\windows\services.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
dRun: [reader_s] c:\documents and settings\samad\reader_s.exe
dRun: [samad] c:\documents and settings\samad\samad.exe /i
uExplorerRun: [Task Manager] c:\windows\system32\taskmgr.exe
uExplorerRun: [FreeITFE] c:\program files\freeotfe\FreeOTFE.exe
uExplorerRun: [Netmeter] c:\program files\netmeter\NetMeter.exe
uExplorerRun: [Everything] c:\program files\everything\Everything.exe
uExplorerRun: [Zonealarm] c:\program files\zone labs\zonealarm\zlclient.exe
uExplorerRun: [EDM] c:\program files\samsung\easy display manager\dmhkcore.exe
uExplorerRun: [SBM] c:\program files\samsung\samsung battery manager\BatteryManager.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\samad\applic~1\mozilla\firefox\profiles\x7hofwl8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\samad\application data\mozilla\firefox\profiles\x7hofwl8.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\samad\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\nporbit.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-10 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-5 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-5 108552]
R1 FreeOTFE;FreeOTFE;c:\windows\system32\FreeOTFE.sys [2009-8-2 31856]
R1 FreeOTFECypherAES_ltc;FreeOTFECypherAES_ltc;c:\windows\system32\FreeOTFECypherAES_ltc.sys [2009-8-2 47600]
R1 FreeOTFECypherBlowfish;FreeOTFECypherBlowfish;c:\windows\system32\FreeOTFECypherBlowfish.sys [2009-8-2 25200]
R1 FreeOTFECypherCAST5;FreeOTFECypherCAST5;c:\windows\system32\FreeOTFECypherCAST5.sys [2009-8-2 31088]
R1 FreeOTFECypherCAST6_Gladman;FreeOTFECypherCAST6_Gladman;c:\windows\system32\FreeOTFECypherCAST6_Gladman.sys [2009-8-2 30576]
R1 FreeOTFECypherDES;FreeOTFECypherDES;c:\windows\system32\FreeOTFECypherDES.sys [2009-8-2 56816]
R1 FreeOTFECypherMARS_Gladman;FreeOTFECypherMARS_Gladman;c:\windows\system32\FreeOTFECypherMARS_Gladman.sys [2009-8-2 24944]
R1 FreeOTFECypherRC6_ltc;FreeOTFECypherRC6_ltc;c:\windows\system32\FreeOTFECypherRC6_ltc.sys [2009-8-2 26480]
R1 FreeOTFECypherSerpent_Gladman;FreeOTFECypherSerpent_Gladman;c:\windows\system32\FreeOTFECypherSerpent_Gladman.sys [2009-8-2 28528]
R1 FreeOTFECypherTwofish_ltc;FreeOTFECypherTwofish_ltc;c:\windows\system32\FreeOTFECypherTwofish_ltc.sys [2009-8-2 32112]
R1 FreeOTFEHashMD;FreeOTFEHashMD;c:\windows\system32\FreeOTFEHashMD.sys [2009-8-2 16752]
R1 FreeOTFEHashRIPEMD;FreeOTFEHashRIPEMD;c:\windows\system32\FreeOTFEHashRIPEMD.sys [2009-8-2 31856]
R1 FreeOTFEHashSHA;FreeOTFEHashSHA;c:\windows\system32\FreeOTFEHashSHA.sys [2009-8-2 26096]
R1 FreeOTFEHashTiger;FreeOTFEHashTiger;c:\windows\system32\FreeOTFEHashTiger.sys [2009-8-2 21872]
R1 FreeOTFEHashWhirlpool;FreeOTFEHashWhirlpool;c:\windows\system32\FreeOTFEHashWhirlpool.sys [2009-8-2 30448]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2008-12-2 93544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-25 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-5 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-5 297752]
R2 CGVPNCliSrvc;CyberGhost VPN Client;c:\program files\s.a.d\cyberghost vpn\CGVPNCliService.exe [2009-7-30 1961472]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-27 4300]
R2 FreeProxy;Free Proxy Service;c:\program files\hand-crafted software\freeproxy\freeproxy.exe -{beginfreeproxyservice} -c"c:\program files\hand-crafted software\freeproxy\default.cfg" --> c:\program files\hand-crafted software\freeproxy\freeproxy.exe -{beginfreeproxyservice} -cc:\program files\hand-crafted software\freeproxy\Default.cfg [?]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-6-15 331312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32mpcoinst,serviceStartProc --> RUNDLL32.EXE ykx32mpcoinst,serviceStartProc [?]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-14 30208]
R3 ntkvpn;Loki VPN Driver Service;c:\windows\system32\drivers\ntkvpn.sys [2009-7-31 22016]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-30 28592]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-11-27 238464]
R4 nltdi;nltdi;\??\c:\windows\system32\drivers\nltdi.sys --> c:\windows\system32\drivers\nltdi.sys [?]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-5 27784]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\samad\locals~1\temp\__samsung_update\addmem.sys --> c:\docume~1\samad\locals~1\temp\__samsung_update\ADDMEM.SYS [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest corporate + ultimate edition\kerneld.wnt [2008-11-27 22640]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-7-22 57640]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2008-12-9 32512]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-10-30 19840]

=============== Created Last 30 ================

2009-08-25 21:55 1 a------- c:\windows\system32\2A.tmp
2009-08-25 21:55 73,728 a------- c:\windows\system32\29.tmp
2009-08-25 21:55 96 a------- c:\windows\system32\28.tmp
2009-08-25 21:46 1 a------- c:\windows\system32\14.tmp
2009-08-25 21:45 73,728 a------- c:\windows\system32\F.tmp
2009-08-25 21:45 96 a------- c:\windows\system32\E.tmp
2009-08-25 21:42 1 a------- c:\windows\system32\D.tmp
2009-08-25 21:42 73,728 a------- c:\windows\system32\C.tmp
2009-08-25 21:42 96 a------- c:\windows\system32\8.tmp
2009-08-25 21:23 1 a------- c:\windows\system32\95.tmp
2009-08-25 21:23 73,728 a------- c:\windows\system32\94.tmp
2009-08-25 21:23 96 a------- c:\windows\system32\93.tmp
2009-08-25 11:05 39,936 a------- c:\windows\system32\B.tmp
2009-08-25 11:05 39,424 a------- c:\windows\system32\A.tmp
2009-08-25 11:05 19,456 a------- c:\windows\system32\9.tmp
2009-08-25 11:05 188 a------- c:\windows\system32\4.tmp
2009-08-25 10:59 103,936 a------- c:\windows\services.exe
2009-08-25 10:58 39,936 a------- c:\windows\system32\7.tmp
2009-08-25 10:58 39,424 a------- c:\windows\system32\6.tmp
2009-08-25 10:58 19,456 a------- c:\windows\system32\5.tmp
2009-08-25 10:58 188 a------- c:\windows\system32\3.tmp
2009-08-25 10:56 --d----- c:\program files\NetLimiter 2 Monitor
2009-08-25 10:35 39,936 a------- c:\windows\system32\DF.tmp
2009-08-25 10:35 39,424 a------- c:\windows\system32\DE.tmp
2009-08-25 10:35 19,456 a------- c:\windows\system32\DD.tmp
2009-08-25 10:35 188 a------- c:\windows\system32\D7.tmp
2009-08-25 09:17 40,960 a------- c:\windows\system32\13.tmp
2009-08-25 09:17 39,424 a------- c:\windows\system32\12.tmp
2009-08-25 09:11 286,720 a------- c:\windows\system32\qtwm.exe
2009-08-25 08:28 40,960 a------- c:\windows\system32\4C.tmp
2009-08-25 08:28 39,424 a------- c:\windows\system32\4B.tmp
2009-08-25 08:28 19,456 a------- c:\windows\system32\4A.tmp
2009-08-25 08:28 188 a------- c:\windows\system32\48.tmp
2009-08-25 08:03 --d----- c:\docume~1\samad\applic~1\Malwarebytes
2009-08-25 08:03 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-25 08:03 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-25 07:09 --d----- c:\program files\Trend Micro
2009-08-25 07:00 40,960 a------- c:\windows\system32\11.tmp
2009-08-25 06:59 0 a------- c:\windows\system32\10.tmp
2009-08-25 03:12 --d----- c:\docume~1\samad\applic~1\Locktime
2009-08-25 03:08 --d----- c:\program files\AnalogX
2009-08-25 03:03 --d----- c:\docume~1\alluse~1\applic~1\Locktime
2009-08-24 22:34 41,515 ----h--- c:\documents and settings\samad\samad.exe
2009-08-24 10:24 --d----- c:\program files\Broderbund
2009-08-24 10:24 --d----- c:\docume~1\alluse~1\applic~1\Broderbund
2009-08-24 10:24 294,912 a------- c:\windows\TLCUninstall.exe
2009-08-24 10:23 327,168 a------- c:\windows\IsUninst.exe
2009-08-24 10:23 0 a------- c:\windows\SETUP32.INI
2009-08-24 07:38 208 ---sh--- c:\windows\WSYS049.SYS
2009-08-24 07:38 82 ----h--- c:\windows\trfntw32.cfg
2009-08-24 07:37 831,776 a------- c:\windows\system32\wodFtpDLX.dll
2009-08-24 07:37 274,976 a------- c:\windows\system32\XceedFtp.dll
2009-08-24 07:36 --d----- c:\program files\CoffeeCup Software
2009-08-24 07:33 130,560 a------- c:\windows\SC.INS
2009-08-24 07:33 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-08-24 07:33 19 a------- c:\windows\rrver.ini
2009-08-24 07:32 --d----- c:\program files\RocketReaderV810
2009-08-23 01:24 --d----- c:\program files\iPod
2009-08-23 01:23 --d----- c:\program files\iTunes
2009-08-23 00:47 --d----- c:\documents and settings\samad\fontconfig
2009-08-18 23:40 --d----- c:\program files\Free Desktop Clock
2009-08-17 21:20 --d----- c:\program files\BBC iPlayer Desktop
2009-08-16 23:04 --d----- c:\program files\Pure Motion
2009-08-16 23:04 --d----- c:\program files\Sonic Foundry
2009-08-16 23:04 --d----- c:\program files\DebugMode
2009-08-16 22:53 --d----- C:\downloads
2009-08-15 22:24 --d-h--- C:\$AVG8.VAULT$
2009-08-13 21:44 107,864 a------- c:\windows\system32\tsccvid.dll
2009-08-13 21:44 --d----- c:\windows\system32\QuickTime
2009-08-13 21:44 --d----- c:\program files\common files\TechSmith Shared
2009-08-13 21:25 --d----- c:\program files\Free Screen Recorder
2009-08-10 14:12 --d----- c:\documents and settings\all users\get_iplayer
2009-08-07 20:37 --d----- c:\program files\Microsoft Bootvis
2009-08-05 23:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-05 23:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 23:56 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 23:55 --d----- c:\windows\system32\drivers\Avg
2009-08-05 23:54 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-05 13:33 --d----- c:\docume~1\samad\applic~1\AVG8
2009-08-03 19:14 --d----- c:\docume~1\samad\applic~1\GetRightToGo
2009-08-03 11:19 --d----- C:\My Web Sites
2009-08-03 10:56 --d----- c:\program files\WinHTTrack
2009-08-03 06:17 --d----- c:\documents and settings\samad\Xinorbis
2009-08-03 06:17 --d----- c:\program files\freshney.org
2009-08-03 06:00 --d----- c:\program files\Unlocker
2009-08-03 02:50 --d----- c:\program files\Everything
2009-08-03 01:13 --d----- C:\Hotspot Shield
2009-08-02 22:53 --d----- c:\docume~1\samad\applic~1\Copernic
2009-08-02 08:04 --d----- c:\program files\FreeOTFE Explorer
2009-08-02 08:03 30,448 a------- c:\windows\system32\FreeOTFEHashWhirlpool.sys
2009-08-02 08:02 --d----- c:\program files\FreeOTFE
2009-07-31 02:55 --d----- c:\docume~1\samad\applic~1\WNR
2009-07-31 02:55 --d----- c:\program files\Proxy Switcher Standard
2009-07-31 02:35 0 a------- c:\windows\system32\cd.dat
2009-07-31 02:34 --d----- c:\program files\Hotspot Shield
2009-07-31 00:44 32 a------- c:\windows\go
2009-07-31 00:44 --d----- c:\windows\vf_hip
2009-07-31 00:44 --d----- c:\program files\Hide IP Platinum
2009-07-31 00:23 176,128 a------- c:\windows\system32\FreeProxyDLL392.dll
2009-07-31 00:23 --d----- c:\program files\Hand-Crafted Software
2009-07-31 00:00 22,016 a------- c:\windows\system32\drivers\ntkvpn.sys
2009-07-31 00:00 --d----- c:\program files\Loki Network
2009-07-30 23:56 28,592 a------- c:\windows\system32\drivers\tap0901.sys
2009-07-30 23:56 --d----- c:\program files\S.A.D
2009-07-29 09:45 --d----- c:\program files\i2p
2009-07-27 02:22 --d----- c:\program files\FrostWire
2009-07-27 02:01 --d----- c:\docume~1\samad\applic~1\mIRC
2009-07-27 01:00 --d----- c:\docume~1\samad\applic~1\Launchy
2009-07-27 00:51 --d----- c:\docume~1\samad\applic~1\360desktop

==================== Find3M ====================

2009-08-25 21:46 626,336 a------- c:\windows\system32\drivers\ntfs.sys
2009-08-25 06:54 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-08-24 07:38 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-08-24 07:33 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-08-23 03:18 499,712 a------- c:\windows\system32\msvcp71.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-02 07:59 2,908 a------- c:\program files\aaw7boot.log
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-02 03:34 33,840 a------- c:\windows\system32\drivers\HssDrv.sys
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 13:31 96,768 a------- c:\windows\system32\telnet.exe
2009-06-10 15:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 07:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 13:00 87 a------- c:\program files\setup.log
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-01 22:47 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-14 17:15 328 -----r-- c:\program files\Marvell0.log
2009-02-10 22:50 74 a------- c:\program files\CMLoader.log
2007-05-09 18:06 40,244 a------- c:\docume~1\samad\applic~1\mdb.bin
2002-07-31 19:55 208 ---sh--- c:\windows\WSYS049.SYS

============= FINISH: 22:17:33.85 ===============
 

·
Registered
Joined
·
5 Posts
Discussion Starter · #5 ·
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:00:12, on 26/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
C:\windows\services.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\FreeOTFE\FreeOTFE.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Free Desktop Clock\DesktopClock.exe
C:\windows\system32\svchost.exe
C:\windows\system32\RUNDLL32.EXE
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\uTorrent\uTorrent.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.co.uk
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\windows\system32\sdra64.exe,
O4 - HKLM\..\Run: [services] C:\windows\services.exe
O4 - HKLM\..\Run: [Regedit32] C:\windows\system32\regedit.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SkinClock] C:\Program Files\Free Desktop Clock\DesktopClock.exe
O4 - HKCU\..\Policies\Explorer\Run: [Task Manager] C:\WINDOWS\system32\taskmgr.exe
O4 - HKCU\..\Policies\Explorer\Run: [FreeITFE] C:\Program Files\FreeOTFE\FreeOTFE.exe
O4 - HKCU\..\Policies\Explorer\Run: [Netmeter] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Policies\Explorer\Run: [Everything] C:\Program Files\Everything\Everything.exe
O4 - HKCU\..\Policies\Explorer\Run: [Zonealarm] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Policies\Explorer\Run: [EDM] C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
O4 - HKCU\..\Policies\Explorer\Run: [SBM] C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\samad\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\samad\reader_s.exe (User 'Default user')
O20 - Winlogon Notify: avgrsstarter - C:\windows\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: Free Proxy Service (FreeProxy) - Unknown owner - C:\Program Files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 8001 bytes
 

·
Retired Moderator
Joined
·
72,109 Posts
Download ComboFix from one of these locations:

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top