Google fastclick hijack help

Orrhexis · Joined: May 04, 2009 Posts: 3

Same symptoms as far as I can tell from everyone else who has this...ie search results seem fine but when I click it attempts to load fastclick sites to redirect me. If I click a few times I can access the site I'm looking for. AVG won't update, had problems installing superantispyware

I read up on lots of help that people have received from many sites but still having some problems myself. I ran sd fix in safe mode which cleared out what I thought were the trojans causing the problem, I've run ATF cleaner, I've disabled my system restore, I've switched my DNS to auto configure. I am unable to flush dns I get the message "Could not flush the DNS Resolver Cache: Function failed during execution." Just looking for help with the specifics to clear out this problem. Thanks so much to any help I receive.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:29 AM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.110,85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.110,85.255.112.229
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4258 bytes

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

Welcome to Lockergnome.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download Malwarebytes ' Anti-Malware at http://www.besttechie.net/tools/mbam-setup.exe or http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first. Using the same example, Malwarebytes' should be at C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe. So rename mbam.exe to anything (like MBblah.exe) and then run it. Check for updates and run a full system scan. Remove everything it finds and post the log here.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.110,85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.110,85.255.112.229

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Orrhexis · Joined: May 04, 2009 Posts: 3

Thanks so much for your help

Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 5.1.2600 Service Pack 3

5/5/2009 1:02:55 PM
mbam-log-2009-05-05 (13-02-55).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 113277
Time elapsed: 14 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Martana!\Start Menu\Programs\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\DivxFree (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\DivxFree\Uninstall.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Martana!\Start Menu\Programs\DivxFree\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

ComboFix 09-05-05.03 - Martana! 05/05/2009 18:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.249 [GMT -5:00]
Running from: c:\documents and settings\Martana!\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcdyowvogkvpkkjtxhbwbohirqxdlxmoiy.sys
c:\windows\system32\drivers\gxvxcdyymbnmpxuwyrevxtaxrxegvypavtouq.sys
c:\windows\system32\drivers\gxvxcmysrkcjsaqlppislxowquuwwcsqhvpux.sys
c:\windows\system32\drivers\gxvxcpjbefyxgmgopujgtbiqjrvymfmuodulv.sys
c:\windows\system32\gxvxcobfhdwyauvsenrbnwchrvwyispojlkxx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-05 17:20 . 2009-05-05 17:20 -------- d-----w c:\documents and settings\Martana!\Application Data\Malwarebytes
2009-05-05 17:11 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-05 17:11 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-05 17:11 . 2009-05-05 17:11 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-05 17:11 . 2009-05-05 17:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 14:59 . 2009-05-04 14:59 -------- d-----w c:\program files\Trend Micro
2009-05-04 13:52 . 2009-05-04 13:52 578560 -c--a-w c:\windows\system32\dllcache\user32.dll
2009-05-04 13:49 . 2009-05-04 13:49 -------- d-----w c:\windows\ERUNT
2009-05-04 13:42 . 2009-05-04 14:01 -------- d-----w C:\SDFix
2009-05-04 13:31 . 2009-05-04 13:31 -------- d-----w c:\documents and settings\Martana!\DoctorWeb
2009-05-04 12:10 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-05-04 11:54 . 2009-05-04 11:54 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-04 11:54 . 2009-05-04 11:54 -------- d-----w c:\program files\Lavasoft
2009-05-04 10:29 . 2009-05-04 12:10 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-04 10:27 . 2009-05-04 11:54 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-04 09:39 . 2009-05-04 09:39 -------- d-----w c:\documents and settings\Martana!\Application Data\vlc
2009-04-30 18:11 . 2009-04-30 18:11 -------- d-----w c:\windows\Sun
2009-04-27 05:34 . 2008-03-21 18:57 14640 ------w c:\windows\system32\spmsgXP_2k3.dll
2009-04-27 05:32 . 2009-04-27 05:36 -------- d-----w c:\program files\Zune
2009-04-27 05:30 . 2008-05-02 10:49 62976 -c----w c:\windows\system32\dllcache\cdrom.sys
2009-04-27 05:30 . 2008-05-02 13:25 465920 -c----w c:\windows\system32\dllcache\imapi2fs.dll
2009-04-27 05:30 . 2008-05-02 13:25 465920 ------w c:\windows\system32\imapi2fs.dll
2009-04-27 05:30 . 2008-05-02 13:25 317952 -c----w c:\windows\system32\dllcache\imapi2.dll
2009-04-27 05:30 . 2008-05-02 13:25 317952 ------w c:\windows\system32\imapi2.dll
2009-04-27 05:23 . 2009-04-27 05:36 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-27 05:23 . 2009-04-27 05:23 -------- d-----w c:\windows\system32\LogFiles
2009-04-25 14:58 . 2009-04-25 15:01 -------- d-----w c:\documents and settings\All Users\Application Data\Soulseek
2009-04-25 14:58 . 2009-04-25 14:58 -------- d-----w c:\program files\SoulseekNS
2009-04-25 08:04 . 2009-04-25 08:04 -------- d-----w c:\program files\MSXML 6.0
2009-04-25 03:42 . 2005-09-20 14:31 135168 ----a-w c:\windows\system32\igfxres.dll
2009-04-25 00:12 . 2009-04-25 00:13 -------- d-----w c:\program files\Winamp
2009-04-25 00:12 . 2009-04-25 02:36 -------- d-----w c:\documents and settings\Martana!\Application Data\Winamp
2009-04-24 13:35 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-24 13:35 . 2008-06-24 16:43 74240 -c----w c:\windows\system32\dllcache\mscms.dll
2009-04-24 13:35 . 2009-02-03 19:59 56832 -c----w c:\windows\system32\dllcache\secur32.dll
2009-04-24 13:35 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-04-24 13:35 . 2008-12-20 22:14 1288192 -c----w c:\windows\system32\dllcache\quartz.dll
2009-04-24 13:34 . 2008-07-07 20:26 253952 -c----w c:\windows\system32\dllcache\es.dll
2009-04-24 13:34 . 2008-12-05 06:54 144896 -c----w c:\windows\system32\dllcache\schannel.dll
2009-04-24 13:24 . 2004-08-12 14:02 403 -c----w c:\windows\system32\dllcache\npdrmv2.zip
2009-04-24 13:24 . 2004-08-12 14:02 22060 -c----w c:\windows\system32\dllcache\npds.zip
2009-04-24 13:24 . 2008-04-13 17:27 79872 -c----w c:\windows\system32\dllcache\msxml6r.dll
2009-04-24 13:24 . 2008-09-10 01:14 1307648 -c----w c:\windows\system32\dllcache\msxml6.dll
2009-04-24 13:22 . 2008-04-14 00:12 294912 -c----w c:\windows\system32\dllcache\dlimport.exe
2009-04-24 13:22 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-24 13:22 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-24 13:22 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-24 13:22 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-24 13:22 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-24 13:22 . 2009-02-06 11:08 2189056 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-24 13:22 . 2009-02-06 10:32 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-24 13:22 . 2009-02-08 00:02 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-24 13:20 . 2009-02-09 11:13 1846784 -c----w c:\windows\system32\dllcache\win32k.sys
2009-04-24 04:56 . 2008-04-13 18:39 4992 ----a-w c:\windows\system32\drivers\mspqm.sys
2009-04-24 04:56 . 2008-04-13 18:39 5376 ----a-w c:\windows\system32\drivers\mspclock.sys
2009-04-24 04:56 . 2009-04-24 04:56 -------- d-----w c:\windows\VirtualEar
2009-04-24 04:56 . 2003-08-19 23:36 65536 ----a-w c:\windows\system32\Audio3d.dll
2009-04-24 04:56 . 2001-10-04 19:50 991232 ----a-w c:\windows\system32\virtear.dll
2009-04-24 04:56 . 2004-11-19 15:00 49152 ----a-w c:\windows\system32\DSndUp.exe
2009-04-24 04:56 . 2009-04-24 04:56 -------- d-----w c:\program files\Analog Devices
2009-04-24 04:56 . 2002-04-17 19:05 45056 ----a-w c:\windows\system32\CleanUp.exe
2009-04-24 04:52 . 2005-01-27 20:31 260352 ----a-w c:\windows\system32\drivers\smwdm.sys
2009-04-24 04:52 . 2004-09-17 14:02 732928 ----a-w c:\windows\system32\drivers\senfilt.sys
2009-04-24 04:52 . 2004-10-05 21:10 23040 ----a-w c:\windows\system32\PostProc.dll
2009-04-24 04:52 . 2004-09-23 12:55 311296 ----a-w c:\windows\system32\Edcrypt.dll
2009-04-24 04:52 . 2001-09-19 17:47 765952 ----a-w c:\windows\system\crlds3d.dll
2009-04-24 04:07 . 2001-08-18 03:36 65536 -c--a-w c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-04-24 04:06 . 2001-08-18 03:36 45056 -c--a-w c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-04-24 04:06 . 2001-08-18 03:36 5632 -c--a-w c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-04-24 03:57 . 2004-08-12 13:58 13312 -c--a-w c:\windows\system32\dllcache\irclass.dll
2009-04-24 03:57 . 2004-08-12 13:58 13312 ----a-w c:\windows\system32\irclass.dll
2009-04-24 03:57 . 2004-08-12 14:06 24661 -c--a-w c:\windows\system32\dllcache\spxcoins.dll
2009-04-24 03:57 . 2004-08-12 14:06 24661 ----a-w c:\windows\system32\spxcoins.dll
2009-04-24 01:16 . 2008-04-14 00:12 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-24 01:14 . 2009-04-28 06:36 -------- d-----w c:\documents and settings\Martana!\Application Data\DivX
2009-04-24 01:12 . 2009-04-24 01:12 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-24 01:12 . 2009-04-24 01:13 -------- d-----w c:\program files\DivX
2009-04-23 16:49 . 2009-05-01 20:58 -------- d-----w C:\Downloads
2009-04-23 16:49 . 2009-05-05 16:55 -------- d-----w c:\program files\BitComet
2009-04-23 16:46 . 2009-04-23 16:46 -------- d-----w c:\program files\XP Codec Pack
2009-04-23 16:34 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\dmusic.sys
2009-04-23 16:33 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-04-23 16:33 . 2009-04-23 16:33 -------- d-----w c:\documents and settings\Martana!\Application Data\Media Player Classic
2009-04-23 16:29 . 2009-04-23 16:29 -------- d-----w c:\program files\YouTube Downloader
2009-04-23 16:27 . 2009-04-28 03:40 -------- d-----w c:\documents and settings\Martana!\Application Data\LimeWire
2009-04-23 16:24 . 2009-03-09 10:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-23 16:23 . 2009-04-24 06:04 -------- d-----w c:\program files\Java
2009-04-23 16:23 . 2009-04-23 16:24 -------- d-----w c:\program files\LimeWire
2009-04-23 16:14 . 2009-04-23 16:14 -------- d-----w c:\program files\Media Player Classic
2009-04-23 16:14 . 2009-05-05 09:18 -------- d--h--w C:\$AVG8.VAULT$
2009-04-23 16:12 . 2009-04-23 16:12 -------- d-----w c:\program files\WinPcap
2009-04-23 16:12 . 2009-04-23 16:12 -------- d-----w c:\program files\Sector69
2009-04-23 11:15 . 2009-04-23 11:15 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-23 11:15 . 2009-04-23 11:15 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 11:15 . 2009-04-23 11:15 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-23 11:15 . 2009-05-05 13:08 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-23 11:15 . 2009-04-23 17:47 -------- d-----w c:\documents and settings\Martana!\Application Data\AVGTOOLBAR
2009-04-23 11:14 . 2009-04-23 11:14 -------- d-----w c:\program files\AVG
2009-04-23 03:44 . 2009-04-23 11:15 -------- d-----w c:\documents and settings\Administrator
2009-04-23 01:00 . 2001-08-17 19:00 2944 ----a-w c:\windows\system32\drivers\msmpu401.sys
2009-04-23 01:00 . 2008-04-14 00:11 4096 ----a-w c:\windows\system32\ksuser.dll
2009-04-23 00:52 . 2009-04-23 00:52 62304 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-22 23:54 . 2009-04-22 23:54 -------- d-----w c:\windows\system32\scripting
2009-04-22 23:54 . 2009-04-22 23:54 -------- d-----w c:\windows\l2schemas
2009-04-22 23:54 . 2009-04-22 23:54 -------- d-----w c:\windows\system32\en
2009-04-22 23:54 . 2009-04-22 23:54 -------- d-----w c:\windows\system32\bits
2009-04-22 23:51 . 2009-04-22 23:51 -------- d-----w c:\windows\ServicePackFiles
2009-04-22 23:45 . 2009-04-26 14:03 -------- d-----w c:\windows\EHome
2009-04-22 23:37 . 2009-04-22 23:37 -------- d-----w c:\program files\ACW
2009-04-22 23:26 . 2004-08-04 03:29 63488 ----a-w c:\windows\system32\drivers\atinxsxx.sys
2009-04-22 23:10 . 2009-04-24 15:07 13104 ----a-w c:\documents and settings\Martana!\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-22 23:07 . 2009-04-22 23:07 -------- d-s---w c:\documents and settings\Martana!\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 05:34 . 2009-04-27 05:34 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-04-27 05:34 . 2009-04-27 05:34 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-24 04:56 . 2009-04-23 10:48 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-24 04:05 . 2004-08-12 13:56 67 --sha-w c:\windows\Fonts\desktop.ini
2009-04-24 04:04 . 2009-04-22 22:22 22748 ----a-w c:\windows\system32\emptyregdb.dat
2009-04-23 10:48 . 2009-04-23 10:48 -------- d-----w c:\program files\EA Games
2009-04-23 10:48 . 2009-04-23 10:48 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-23 10:44 . 2009-04-23 10:44 -------- d-----w c:\program files\Razor
2009-04-23 00:51 . 2009-04-23 00:51 -------- d-----w c:\program files\MSBuild
2009-04-23 00:51 . 2009-04-23 00:51 -------- d-----w c:\program files\Reference Assemblies
2009-04-22 23:59 . 2009-04-22 22:24 77423 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-22 22:46 . 2009-04-22 22:46 0 ----a-w c:\windows\nsreg.dat
2009-04-22 22:26 . 2009-04-22 22:26 -------- d-----w c:\program files\microsoft frontpage
2009-04-15 20:25 . 2009-04-24 01:13 9464 ----a-w c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 20:25 . 2009-04-24 01:13 9336 ----a-w c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 20:25 . 2009-04-24 01:13 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-15 20:25 . 2009-04-24 01:13 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-15 20:24 . 2009-04-15 20:24 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-15 20:24 . 2009-04-15 20:24 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-15 20:24 . 2009-04-15 20:24 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-15 20:24 . 2009-04-15 20:24 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-15 20:24 . 2009-04-15 20:24 684032 ----a-w c:\windows\system32\DivX.dll
2009-03-06 14:22 . 2004-08-12 14:03 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-08-12 14:09 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-12 13:58 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-12 13:59 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-12 14:04 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-12 14:02 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-12 13:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-12 14:09 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-12 14:05 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-12 14:02 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-12 14:04 35328 ----a-w c:\windows\system32\sc.exe
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-23 1932568]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-23 11:15 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13566:TCP"= 13566:TCP:BitComet 13566 TCP
"13566:UDP"= 13566:UDP:BitComet 13566 UDP
"25466:TCP"= 25466:TCP:BitComet 25466 TCP
"25466:UDP"= 25466:UDP:BitComet 25466 UDP
"8743:TCP"= 8743:TCP:BitComet 8743 TCP
"8743:UDP"= 8743:UDP:BitComet 8743 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/4/2009 7:10 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2009 6:15 AM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2009 6:15 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/23/2009 6:14 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 6:14 AM 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]
.
.
------- Supplementary Scan -------
.
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Martana!\Application Data\Mozilla\Firefox\Profiles\t3rtbg8g.default\
FF - component: c:\documents and settings\Martana!\Application Data\Mozilla\Firefox\Profiles\t3rtbg8g.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-05 18:30
ComboFix-quarantined-files.txt 2009-05-05 23:30

Pre-Run: 39,281,549,312 bytes free
Post-Run: 39,274,074,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

256 --- E O F --- 2009-04-28 08:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:07 PM, on 5/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbblah.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4214 bytes

Orrhexis · Joined: May 04, 2009 Posts: 3

Everything seems fixed on my end unless you see something else in the logs. Thank you so very much for your help.

greyknight17 · Joined: Feb 03, 2003 Posts: 5674 Location: Brooklyn, NY

It looks good here as well Smile

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.