• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
Cachinbon

IE redirected - please help

8 posts in this topic

IE history shows sites I've never been to & when I do a google search I get redirected to other search engines

what can I do

-

-

-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:23:22 PM, on 11/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

D:\New Programs\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Private Folder 1.0\ShellHelper.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [DefragTaskBar] "D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"

O4 - HKLM\..\Run: [LogonStudio] "D:\New Programs\BootSkin\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\New Programs\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: pxod13 - C:\WINDOWS\SYSTEM32\pxod13.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ashampoo Defrag Service (AshampooDefragService) - - D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - D:\New Programs\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - D:\New Programs\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 10527 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

  • Run Spybot-S&D
  • Go to the Mode menu , and make sure "Advanced Mode " is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer " and OK any prompts
  • Restart your computer.

When everything is done and your log is clean again, you can enable it again.

If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

 

Please don't forget this step to disable TeaTimer.

 

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O20 - Winlogon Notify: pxod13 - C:\WINDOWS\SYSTEM32\pxod13.dll

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete this file in bold.

C:\WINDOWS\SYSTEM32\pxod13.dll

 

Restart the computer normally.

===

 

We Need to check for Rootkits with RootRepeal

  1. Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).

[*]Open rootRepealDesktopIcon.png on your desktop.

[*]Click the reportTab.png tab.

[*]Click the btnScan.png button.

[*]Check all seven boxes: checkBoxes2.png

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

 

Include a fresh HijackThis log for my review.

Share this post


Link to post
Share on other sites

Hello nasdaq! Thank you in advance for your help. I did all the steps you asked me to do and this is what I got

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/12/05 09:40

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA8531000 Size: 49152 File Visible: No Signed: -

Status: -

 

Name: srescan.sys

Image Path: srescan.sys

Address: 0xBA5C5000 Size: 81920 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\sccfg.sys

Status: Invisible to the Windows API!

 

Path: C:\WINDOWS\Temp\4a1bce73-b9fb-4a2b-ab14-0cc0409ce234.tmp

Status: Invisible to the Windows API!

 

Path: C:\WINDOWS\Temp\011917b9-b218-47a9-828b-23ee87c03bc9.tmp

Status: Invisible to the Windows API!

 

Path: C:\Documents and Settings\Carlos\My Private Folder\PRIVATE.txt

Status: Invisible to the Windows API!

 

Path: C:\Documents and Settings\Carlos\My Private Folder\PRIVATE.txt.$e_

Status: Invisible to the Windows API!

 

Path: C:\Documents and Settings\Carlos\My Private Folder\prvflder.dat

Status: Invisible to the Windows API!

 

SSDT

-------------------

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dcfc0

 

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xabd5636a

 

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f4170

 

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dd580

 

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f1900

 

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f1b10

 

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f5b10

 

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dd670

 

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1da210

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f49f0

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f47a0

 

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f1280

 

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f4f10

 

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f4f90

 

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xabd56cd8

 

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f3180

 

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f2f40

 

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xabd56842

 

#: 154 Function Name: NtQueryInformationProcess

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xabd531e0

 

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f56f0

 

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f5150

 

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dcbe0

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f5540

 

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dd190

 

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xabd57142

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f44e0

 

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f2200

 

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1f2080

 

Shadow SSDT

-------------------

#: 460 Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dbe70

 

#: 475 Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dbf20

 

#: 476 Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dbfe0

 

#: 491 Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dad60

 

#: 502 Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xaf1dc250

 

==EOF==

 

and this is the hijackthis log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:04:18 AM, on 12/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

D:\New Programs\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [DefragTaskBar] "D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"

O4 - HKLM\..\Run: [LogonStudio] "D:\New Programs\BootSkin\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\New Programs\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ashampoo Defrag Service (AshampooDefragService) - - D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - D:\New Programs\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - D:\New Programs\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 10109 bytes

Share this post


Link to post
Share on other sites

You are good to run this tool.

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

 

Do not mouse click combofix's window while it's running. That may cause it to stall

 

Please let me know if the redirections are still continuing.

Share this post


Link to post
Share on other sites

Hello again nasdaq! It appears the problem has been fixed. I want to thank you and this board for all the help you provide.

this is the Combofix log...

 

---

 

ComboFix 09-12-07.01 - Carlos 12/07/2009 15:08.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3100 [GMT -8:00]

Running from: c:\documents and settings\Carlos\Desktop\ComboFix.exe

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Carlos\Application Data\.#

c:\documents and settings\Carlos\Application Data\.#\MBX@1274@383A10.###

c:\documents and settings\Carlos\Application Data\.#\MBX@1274@383A20.###

c:\documents and settings\Carlos\Application Data\.#\MBX@B68@3837B8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@B68@3837C8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@B68@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@BFC@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@BFC@3837E8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@BFC@3837F8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C44@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C44@3837E8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C44@3837F8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C48@3837B8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C48@3837C8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@C48@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@DE8@3837B8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@DE8@3837C8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@DE8@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@E4C@3837D8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@E4C@3837E8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@E4C@3837F8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@F84@3837B8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@F84@3837C8.###

c:\documents and settings\Carlos\Application Data\.#\MBX@F84@3837D8.###

 

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected

Restored copy from - Kitty ate it :p

.

((((((((((((((((((((((((( Files Created from 2009-11-07 to 2009-12-07 )))))))))))))))))))))))))))))))

.

 

2009-11-26 19:03 . 2009-06-30 17:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2009-11-26 19:03 . 2009-11-26 19:03 -------- d-----w- c:\program files\Panda Security

2009-11-25 18:35 . 2009-11-25 18:35 -------- d-----w- c:\program files\Trend Micro

2009-11-25 03:09 . 2009-11-25 03:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-25 03:09 . 2009-11-25 03:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-24 23:55 . 2009-11-24 23:55 -------- d-----w- c:\documents and settings\Carlos\Application Data\Malwarebytes

2009-11-24 23:55 . 2009-11-24 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-11-24 04:28 . 2009-11-24 04:28 -------- d-sh--w- c:\documents and settings\Carlos\IECompatCache

2009-11-22 19:56 . 2009-11-22 19:56 -------- d-----w- c:\program files\IVT Corporation

2009-11-22 19:00 . 2009-11-22 19:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-11-22 18:55 . 2009-11-22 18:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-20 05:23 . 2009-11-12 23:41 497944 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2009-11-20 05:23 . 2009-11-12 23:41 3963648 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2009-11-19 07:10 . 2009-11-19 07:10 544272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-11-15 05:47 . 2009-11-15 05:47 -------- d-----w- c:\program files\iPod

2009-11-15 05:47 . 2009-11-15 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-11-15 05:40 . 2009-11-15 05:40 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-12 23:41 . 2009-11-12 23:40 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-07 22:53 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2009-12-05 21:30 . 2008-09-17 07:35 -------- d-----w- c:\documents and settings\Carlos\Application Data\gtk-2.0

2009-12-03 23:37 . 2009-10-26 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-11-22 19:55 . 2008-06-05 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Bluetooth

2009-11-15 06:37 . 2008-03-31 23:03 -------- d-----w- c:\documents and settings\Carlos\Application Data\Apple Computer

2009-11-15 05:47 . 2008-05-11 00:19 -------- d-----w- c:\program files\Common Files\Apple

2009-11-15 05:46 . 2008-12-16 06:30 -------- d-----w- c:\program files\QuickTime

2009-11-14 05:39 . 2008-05-24 00:17 145632 -c-ha-w- c:\windows\system32\mlfcache.dat

2009-11-13 23:41 . 2008-12-18 07:24 -------- d-----w- c:\documents and settings\Carlos\Application Data\ContentGuard

2009-11-13 23:39 . 2008-12-18 07:24 188501 ----a-w- c:\documents and settings\Carlos\Application Data\ContentGuard\CGGuard2.dll

2009-11-12 23:41 . 2009-10-27 00:25 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-11-04 00:29 . 2008-05-15 07:47 -------- d-----w- c:\program files\Java

2009-11-04 00:25 . 2009-11-04 00:25 152576 ----a-w- c:\documents and settings\Carlos\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-10-28 02:59 . 2009-10-28 02:59 -------- d-----w- c:\program files\BetUSPoker

2009-10-27 22:54 . 2009-10-27 00:25 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-10-27 22:54 . 2009-10-27 00:25 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-10-27 22:54 . 2009-10-27 00:25 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-10-27 22:54 . 2009-10-27 00:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-10-27 01:12 . 2009-03-05 05:42 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND

2009-10-26 23:53 . 2008-05-11 00:00 -------- d-----w- c:\program files\AVG

2009-10-25 16:51 . 2009-04-23 01:57 4821048 ----a-w- c:\windows\Internet Logs\tvDebug.Zip

2009-10-23 23:33 . 2008-12-11 07:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-20 20:01 . 2009-10-23 23:33 3767064 ----a-w- c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe

2009-10-19 22:05 . 2009-10-19 22:05 -------- d-----w- c:\program files\OEdit

2009-10-19 19:59 . 2009-10-19 20:00 2116608 ----a-w- c:\windows\Internet Logs\xDB9.tmp

2009-10-14 19:12 . 2009-10-14 16:39 -------- d-----w- c:\program files\Facial Studio v2

2009-10-14 14:37 . 2009-10-14 14:38 2107392 ----a-w- c:\windows\Internet Logs\xDB8.tmp

2009-10-12 02:11 . 2009-10-12 02:12 2077696 ----a-w- c:\windows\Internet Logs\xDB7.tmp

2009-10-11 12:17 . 2008-12-03 05:46 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-09 04:14 . 2009-01-11 04:48 -------- d-----w- c:\program files\Free Music Zilla

2009-10-09 03:06 . 2008-04-02 21:57 228424 ----a-w- c:\documents and settings\Carlos\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-09 02:24 . 2008-03-31 23:01 -------- d-----w- c:\program files\Common Files\Adobe

2009-10-05 03:05 . 2008-03-31 23:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-27 10:13 . 2009-09-27 10:13 784 ----a-w- c:\documents and settings\Carlos\Application Data\mpauth.dat

2009-09-24 22:51 . 2004-08-04 12:00 4399616 ----a-w- c:\windows\system32\logonuiX.exe

2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2007-07-28 1230848]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-21 213936]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"DefragTaskBar"="d:\new programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe" [2008-10-09 173408]

"LogonStudio"="d:\new programs\BootSkin\LogonStudio\logonstudio.exe" [2002-09-04 987187]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"ZoneAlarm Client"="c:\program files\Folder Lock\Zone Alarm\zlclient.exe" [2009-02-16 981384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-12 185896]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="d:\new programs\iTunes\iTunesHelper.exe" [2009-10-29 141600]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="c:\windows\system32\logonuiX.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-10-27 22:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 10:43 69632 -c----r- c:\windows\Alcmtr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

2007-06-01 18:21 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2009-10-29 04:21 141600 ----a-w- d:\new programs\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]

2000-08-08 20:00 311350 -c--a-w- c:\program files\Microsoft Works\wkssb.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

2000-08-08 20:00 28739 -c--a-w- c:\program files\Microsoft Works\WkDetect.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2007-03-01 23:57 153136 -c--a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2008-09-18 07:55 1657376 -c--a-w- c:\windows\system32\nwiz.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 09:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2008-09-12 04:22 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]

2000-08-08 20:00 24576 -c--a-w- c:\program files\Microsoft Works\wkfud.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avg9wd"=2 (0x2)

"avg9emc"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Free Music Zilla\\FMZilla.exe"=

"c:\\Program Files\\eMusic Download Manager\\xulrunner\\xulrunner.exe"=

"d:\\New Programs\\pspvc\\PSPVC (Server).exe"=

"d:\\New Programs\\Games\\Dream Match Tennis Pro.exe"=

"d:\\New Programs\\Games\\Delta Force\\Df.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"d:\\New Programs\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"94:TCP"= 94:TCP:VRS Recording System Web Control Panel

 

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [10/26/2009 4:25 PM 161800]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/26/2009 11:03 AM 28552]

R0 Pnp680;SiI 680 ATA Controller;c:\windows\system32\drivers\PnP680.sys [3/31/2008 12:59 PM 71720]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/26/2009 4:25 PM 333192]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/26/2009 4:25 PM 360584]

R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [4/21/2006 7:22 AM 70912]

R2 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [12/27/2007 3:39 PM 51816]

R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [5/9/2009 7:52 PM 10752]

S2 pwaxkdmj;pwaxkdmj;\??\c:\windows\system32\drivers\giqpnmwqbzxlnfy.sys --> c:\windows\system32\drivers\giqpnmwqbzxlnfy.sys [?]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;d:\new programs\MAGIX\Common\Database\bin\fbserver.exe --> d:\new programs\MAGIX\Common\Database\bin\fbserver.exe [?]

S4 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/27/2009 2:54 PM 906520]

S4 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/27/2009 2:54 PM 285392]

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-07-19 01:53 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]

2007-07-28 13:53 1230848 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://mail.yahoo.com/

uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

Trusted Zone: aol.com\free

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

AddRemove-CANONBJ_Deinstall_CNMCP75.DLL - c:\windows\system32\CNMCP75.exe -PRINTERNAMECanon iP1600 -HELPERDLLc:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon iP1600 Installer\Inst2\cnmis.dll

AddRemove-Easy-WebPrint - c:\windows\IsUninst.exe -fc:\program files\Canon\Easy-WebPrint\Uninst.isu

AddRemove-RealArcade - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf

AddRemove-Super Jigsaw Desert Explorer - c:\program files\RealArcade\Installer\bin\gameinstaller.exe c:\program files\RealArcade\Installer\installerMain.clf

 

 

 

**************************************************************************

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files:

 

**************************************************************************

.

Completion time: 2009-12-07 15:32

ComboFix-quarantined-files.txt 2009-12-07 23:31

 

Pre-Run: 285,365,944,320 bytes free

Post-Run: 287,402,582,016 bytes free

 

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 1CF1EA37F9481569890957111EBD3F80

 

---

 

and this is the HijackThis log...

 

---

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:52:08 PM, on 12/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragActivityMonitor.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVG\AVG9\avgam.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

D:\New Programs\iTunes\iTunesHelper.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [DefragTaskBar] "D:\New Programs\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe"

O4 - HKLM\..\Run: [LogonStudio] "D:\New Programs\BootSkin\LogonStudio\logonstudio.exe" /RANDOM

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [intelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Folder Lock\Zone Alarm\zlclient.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\New Programs\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ashampoo Defrag Service (AshampooDefragService) - - D:\New Programs\Ashampoo Magical Defrag 2\bin\aDefragService.exe

O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - D:\New Programs\MAGIX\Common\Database\bin\fbserver.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - D:\New Programs\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

--

End of file - 9877 bytes

Share this post


Link to post
Share on other sites

Glad we could help.

 

Please read this Prevention page with lots of info and tips how to prevent this in the future.

How did I get infected in the first place?

http://spywareinfoforum.com/index.php?showtopic=60955

 

Time for some housekeeping


  • The following will implement some cleanup procedures as well as reset System Restore points:
     
    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
     
    ComboFix /Uninstall

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0