donnie darko

Members
  • Content Count

    12
  • Joined

  • Last visited

Community Reputation

0 Neutral

About donnie darko

  • Rank
    Member
  1. [quote name='polaris' post='123148' date='Oct 8 2010, 10:41 PM']If that is the case, nothing can be running! It was not like this before, a couple of years ago. Also, I'm finding that the (Applying) update is taking forever! i.e. after completing huge downloads. What's going on with Ad-Aware program??? One of the things, selling features were that it was faster than the competition. Whatever happened. ...Now, it seem is all just doing is spinning wheels, for what, I don't know? Now, who would think of buying, paying for it??[/quote] i totally agree with Polaris. Over the last 1 -2 years ad-aware has become painfully slow in scanning and updating. I have noticed that the following 2 process 'Ad-AwareAdmin.exe'' and 'AAWService.exe' now take FOREVER TO RUN THEIR COURSE. And whilst they are running, the CPU resources rocket up to 95-100% almost freezing out my PC for other tasks. It has almost got to the point where I will have to serioulsy think of removing my Free Ad-Aware all together ! And if my free version proves to be very top heavy and resource intensive why oh why would anybody want to consider obtaining the paid up version ! COME ON LAVASOFT - WHATS GOING ON? YOU NEED TO LISTEN TO YOUR CUSTOMERS
  2. I am happy to say that my anti virus does not do the same. I have AVG8 and if i disable it loading in the tray , it is still working in the background. I can click on the AVG interface from program files, and close it without it minimising itself into the tray. Even if i choose to have AVG in the tray I can close it/exit without shutting down the service. What happened to the progress bars in Ad-aware AE?
  3. Unfortunately Ad-aware AE is being a very naughty and will always try to minimise itself into the tray! For example, i disabled AAWTRAY.exe and that stopped the icon appearing in the tray on startup. However, clicking on Ad-aware.exe to starts the service but if you click on the 'X' icon or 'Close' it DOES NOT close the programme - it merely minimises it into the tray! I did a fresh install of Ad-aware and it was only then that I noticed in VERY SMALL writing 'customise your setting' in the 'agreement ' window. However, this did not offer many options such as 'manually start Ad-aware' ! I want control over how Ad-aware behaves - however, this version does not ultimately allow for this. I have gone back to Adaware2008 as I don't need this hassle with this edition. Also I liked the progress bars in Adaware2008 which seem to be absent in Ad-aware AE. I think some of the features in AAW AE need to be redesigned.
  4. I am having similar issue. Your suggestions do not work. Whist killing AAWTRAY.exe in msconfig/startup may well remove it from the tray, if you kill AAWSERVICE.EXE in msconfig/services - which will remove it from the tray- the service will NOT start with a manual start. If you click on the Ad-aware app, you initially get the small pop up with "Ad-aware -Anniversary edition - Loading" which hangs for about 10 seconds before disappearing. But the actual main page does NOT load. In summary if both AAWTRAY.exe and AAWSERVICE.EXE have been disabled in msconfig the app cannot be loaded and nor will you see it in the tray. However, if only AAWTRAY.exe is disabled in msconfig, on boot startup, you STILL GET THE Ad-aware icon in the tray.
  5. I did the uninstall of FF and Gran Paradiso. I then did a clean install of FF 3.0.6. So far no problems!! Where are the cache locations for FF and IE? I beleive I know when i got infected. It was a zip file from isohunt which contained adware that wasnt seen by the AVG scan. I always scan downloaded P2P files with AVG before opening. However, on this occasion there was no alert. And so I opened it . As soon as I did, I saw all these other apps just popping up all over the place!!! Incedentally when ComboFix produces a log.txt file, Spybot resident shield pops up even though I disabled it in msconfig. It normally asks whether to allow or deny the registry change. Any idea why this happens? Finally - thank u so much for pointing me in the right direction!
  6. so - in summary, if i decide to go back to FF 3.0.6 from Gran Paradiso, I shouldnt see the problem.? Also are you also stating that apps like AVG, AVIRA , malwarebytes, spybot will not take out these browser hijackers if they are in the FF cache? Is there anything else that I can or need to do to prevent this type of infection? Are there tools out there that can spot these infections before they embed themselves? Any further guidance would be much appreciated. Thanks
  7. I ran Combofix yesterday when I still had FF 3.0.6. Unfortunately the issue did not go away and so I contacted FF support. I sent them Listdll and Hijackthis data. It was Mozilla support which suggested intalling Gran Paradiso. In summary, Combofix did not remove the malware when I ran it yesterday. I am concerned that if I reinstall FF 3.0.6 , the malware if present will infect it again and may also infect Gran paradiso. What r ur thoughts?
  8. Hi Maybe I have introduced some confusion. I had this issue with FireFox 3.0.6. When I upgraded to Gran Paradiso the issue disappeared. I ASSUMED that the hijack malware would still be present deep in my system but not active because the app it was associated with i.e. FF 3.0.6 has been disabled. I suppose because I know the spyware is still there I just want to get rid of it. Please find below the latest combofix log - do u also want the quarantine log? ComboFix 09-02-17.02 - Roman Haraburda 2009-02-18 17:02:18.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.456 [GMT 0:00] Running from: c:\documents and settings\Roman Haraburda\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) AV: Panda Internet Security 2008 *On-access scanning disabled* (Outdated) FW: Panda Internet Security 2008 *disabled* * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Roman Haraburda\Application Data\inst.exe c:\documents and settings\Roman Haraburda\Local Settings\Temporary Internet Files\fbk.sts c:\windows\a3kebook.ini c:\windows\akebook.ini c:\windows\ANS2000.INI c:\windows\system32\d3d8caps.dat c:\windows\system32\ecfmbixm.ini c:\windows\system32\gOqtCfhk.ini c:\windows\system32\inf\rundll33.exe c:\windows\xccwinsys.ini . ((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 ))))))))))))))))))))))))))))))) . 2009-02-18 16:28 . 2008-04-14 00:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll 2009-02-18 16:27 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe 2009-02-18 16:27 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe 2009-02-18 16:27 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll 2009-02-18 16:27 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys 2009-02-18 16:27 . 2008-04-13 18:46 19,200 --a--c--- c:\windows\system32\dllcache\wstcodec.sys 2009-02-18 16:27 . 2008-04-14 00:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll 2009-02-18 16:27 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys 2009-02-18 16:27 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys 2009-02-18 16:27 . 2008-04-13 18:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys 2009-02-18 16:27 . 2008-04-14 00:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll 2009-02-18 16:27 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe 2009-02-18 16:25 . 2001-08-17 13:28 765,884 --a--c--- c:\windows\system32\dllcache\usrti.sys 2009-02-18 16:25 . 2001-08-17 13:28 687,999 --a--c--- c:\windows\system32\dllcache\usrwdxjs.sys 2009-02-18 16:25 . 2001-08-17 13:28 604,253 --a--c--- c:\windows\system32\dllcache\vmodem.sys 2009-02-18 16:25 . 2001-08-17 13:28 397,502 --a--c--- c:\windows\system32\dllcache\vpctcom.sys 2009-02-18 16:25 . 2001-08-17 12:14 249,402 --a--c--- c:\windows\system32\dllcache\vinwm.sys 2009-02-18 16:25 . 2001-08-17 13:28 64,605 --a--c--- c:\windows\system32\dllcache\vvoice.sys 2009-02-18 16:25 . 2008-04-14 00:12 53,760 --a--c--- c:\windows\system32\dllcache\vfwwdm32.dll 2009-02-18 16:25 . 2001-08-17 13:49 24,576 --a--c--- c:\windows\system32\dllcache\viairda.sys 2009-02-18 16:25 . 2001-08-17 12:13 19,528 --a--c--- c:\windows\system32\dllcache\w840nd.sys 2009-02-18 16:25 . 2001-08-17 12:13 19,016 --a--c--- c:\windows\system32\dllcache\w926nd.sys 2009-02-18 16:25 . 2001-08-17 12:13 16,925 --a--c--- c:\windows\system32\dllcache\w940nd.sys 2009-02-18 16:23 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll 2009-02-18 16:23 . 2001-08-17 14:56 440,576 --a--c--- c:\windows\system32\dllcache\tridkb.dll 2009-02-18 16:23 . 2001-08-17 14:56 315,520 --a--c--- c:\windows\system32\dllcache\trid3d.dll 2009-02-18 16:23 . 2001-08-17 12:51 222,336 --a--c--- c:\windows\system32\dllcache\trid3dm.sys 2009-02-18 16:23 . 2001-08-17 22:36 216,064 --a--c--- c:\windows\system32\dllcache\um34scan.dll 2009-02-18 16:23 . 2001-08-17 22:36 211,968 --a--c--- c:\windows\system32\dllcache\um54scan.dll 2009-02-18 16:23 . 2001-08-17 12:51 166,784 --a--c--- c:\windows\system32\dllcache\tridxpm.sys 2009-02-18 16:23 . 2001-08-17 12:51 159,232 --a--c--- c:\windows\system32\dllcache\tridkbm.sys 2009-02-18 16:23 . 2001-08-17 22:36 50,176 --a--c--- c:\windows\system32\dllcache\umaxp60.dll 2009-02-18 16:23 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\umaxcam.dll 2009-02-18 16:23 . 2001-08-17 13:52 36,736 --a--c--- c:\windows\system32\dllcache\ultra.sys 2009-02-18 16:23 . 2001-08-17 13:48 11,520 --a--c--- c:\windows\system32\dllcache\twotrack.sys 2009-02-18 16:21 . 2001-08-17 14:56 172,768 --a--c--- c:\windows\system32\dllcache\t2r4disp.dll 2009-02-18 16:21 . 2001-08-17 13:50 103,936 --a--c--- c:\windows\system32\dllcache\sx.sys 2009-02-18 16:21 . 2001-08-17 22:36 94,293 --a--c--- c:\windows\system32\dllcache\sxports.dll 2009-02-18 16:21 . 2001-08-17 12:50 36,640 --a--c--- c:\windows\system32\dllcache\t2r4mini.sys 2009-02-18 16:21 . 2001-08-17 14:07 32,640 --a--c--- c:\windows\system32\dllcache\symc8xx.sys 2009-02-18 16:21 . 2001-08-17 14:07 30,688 --a--c--- c:\windows\system32\dllcache\sym_u3.sys 2009-02-18 16:21 . 2001-08-17 13:49 30,464 --a--c--- c:\windows\system32\dllcache\tbatm155.sys 2009-02-18 16:21 . 2001-08-17 14:07 28,384 --a--c--- c:\windows\system32\dllcache\sym_hi.sys 2009-02-18 16:21 . 2001-08-17 14:07 16,256 --a--c--- c:\windows\system32\dllcache\symc810.sys 2009-02-18 16:21 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpidflt.dll 2009-02-18 16:21 . 2001-08-17 22:36 10,240 --a--c--- c:\windows\system32\dllcache\swpdflt2.dll 2009-02-18 16:21 . 2001-08-17 13:52 7,040 --a--c--- c:\windows\system32\dllcache\tandqic.sys 2009-02-18 16:21 . 2001-08-17 14:02 3,968 --a--c--- c:\windows\system32\dllcache\swusbflt.sys 2009-02-18 16:19 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll 2009-02-18 16:18 . 2001-08-17 14:56 252,032 --a--c--- c:\windows\system32\dllcache\sis300iv.dll 2009-02-18 16:17 . 2001-08-17 22:36 386,560 --a--c--- c:\windows\system32\dllcache\sgiul50.dll 2009-02-18 16:17 . 2001-07-21 14:29 161,568 --a--c--- c:\windows\system32\dllcache\sgsmusb.sys 2009-02-18 16:17 . 2001-08-17 12:51 98,080 --a--c--- c:\windows\system32\dllcache\sgiulnt5.sys 2009-02-18 16:17 . 2001-08-17 12:19 36,480 --a--c--- c:\windows\system32\dllcache\sfmanm.sys 2009-02-18 16:17 . 2001-07-21 14:29 18,400 --a--c--- c:\windows\system32\dllcache\sgsmld.sys 2009-02-18 16:17 . 2001-08-17 13:51 17,280 --a--c--- c:\windows\system32\dllcache\scr111.sys 2009-02-18 16:17 . 2001-08-17 13:51 16,640 --a--c--- c:\windows\system32\dllcache\scmstcs.sys 2009-02-18 16:17 . 2001-08-17 13:52 11,648 --a--c--- c:\windows\system32\dllcache\scsiprnt.sys 2009-02-18 16:17 . 2008-04-13 18:45 11,520 --a--c--- c:\windows\system32\dllcache\scsiscan.sys 2009-02-18 16:17 . 2001-08-17 13:53 6,912 --a--c--- c:\windows\system32\dllcache\seaddsmc.sys 2009-02-18 16:17 . 2001-08-17 13:53 6,784 --a--c--- c:\windows\system32\dllcache\serscan.sys 2009-02-18 16:15 . 2001-08-17 22:36 86,097 --a--c--- c:\windows\system32\dllcache\reslog32.dll 2009-02-18 16:15 . 2001-08-17 22:36 79,872 --a--c--- c:\windows\system32\dllcache\rwia430.dll 2009-02-18 16:15 . 2008-04-13 18:40 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys 2009-02-18 16:15 . 2001-08-17 12:12 37,563 --a--c--- c:\windows\system32\dllcache\rlnet5.sys 2009-02-18 16:15 . 2001-08-17 12:19 30,720 --a--c--- c:\windows\system32\dllcache\rthwcls.sys 2009-02-18 16:15 . 2008-04-14 00:12 29,696 --a--c--- c:\windows\system32\dllcache\rw450ext.dll 2009-02-18 16:15 . 2008-04-14 00:12 27,648 --a--c--- c:\windows\system32\dllcache\rw430ext.dll 2009-02-18 16:15 . 2004-08-03 22:31 20,992 --a--c--- c:\windows\system32\dllcache\rtl8139.sys 2009-02-18 16:15 . 2001-08-17 13:51 19,584 --a--c--- c:\windows\system32\dllcache\rasirda.sys 2009-02-18 16:15 . 2001-08-17 12:12 19,017 --a--c--- c:\windows\system32\dllcache\rtl8029.sys 2009-02-18 16:15 . 2001-08-17 22:36 9,216 --a--c--- c:\windows\system32\dllcache\rsmgrstr.dll 2009-02-18 16:15 . 2001-08-17 12:19 3,840 --a--c--- c:\windows\system32\dllcache\rpfun.sys 2009-02-18 16:13 . 2008-04-14 00:12 363,520 --a--c--- c:\windows\system32\dllcache\psisdecd.dll 2009-02-18 16:12 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys 2009-02-18 16:11 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys 2009-02-18 16:11 . 2001-08-17 22:36 123,776 --a--c--- c:\windows\system32\dllcache\nv3.dll 2009-02-18 16:11 . 2001-08-17 22:36 116,736 --a--c--- c:\windows\system32\dllcache\ovcodec2.dll 2009-02-18 16:11 . 2001-08-17 12:20 54,528 --a--c--- c:\windows\system32\dllcache\opl3sax.sys 2009-02-18 16:11 . 2001-08-17 13:28 54,186 --a--c--- c:\windows\system32\dllcache\otcsercb.sys 2009-02-18 16:11 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys 2009-02-18 16:11 . 2001-08-17 14:05 48,000 --a--c--- c:\windows\system32\dllcache\ovcam2.sys 2009-02-18 16:11 . 2001-08-17 12:12 43,689 --a--c--- c:\windows\system32\dllcache\otceth5.sys 2009-02-18 16:11 . 2001-08-17 14:05 31,872 --a--c--- c:\windows\system32\dllcache\ovce.sys 2009-02-18 16:11 . 2001-08-17 14:05 28,032 --a--c--- c:\windows\system32\dllcache\ovcd.sys 2009-02-18 16:11 . 2001-08-17 12:12 27,209 --a--c--- c:\windows\system32\dllcache\otc06x5.sys 2009-02-18 16:11 . 2001-08-17 14:05 25,088 --a--c--- c:\windows\system32\dllcache\ovca.sys 2009-02-18 16:09 . 2001-08-17 12:11 128,000 --a--c--- c:\windows\system32\dllcache\n100325.sys 2009-02-18 16:08 . 2001-08-17 12:50 320,384 --a--c--- c:\windows\system32\dllcache\mgaum.sys 2009-02-18 16:08 . 2001-08-17 14:56 235,648 --a--c--- c:\windows\system32\dllcache\mgaud.dll 2009-02-18 16:08 . 2008-04-14 00:12 56,832 --a--c--- c:\windows\system32\dllcache\msdvbnp.ax 2009-02-18 16:08 . 2008-04-13 18:46 51,200 --a--c--- c:\windows\system32\dllcache\msdv.sys 2009-02-18 16:08 . 2001-08-17 22:36 47,616 --a--c--- c:\windows\system32\dllcache\memgrp.dll 2009-02-18 16:08 . 2001-08-17 14:02 35,200 --a--c--- c:\windows\system32\dllcache\msgame.sys 2009-02-18 16:08 . 2008-04-13 18:41 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys 2009-02-18 16:08 . 2001-08-17 13:52 17,280 --a--c--- c:\windows\system32\dllcache\mraid35x.sys 2009-02-18 16:08 . 2008-04-13 18:46 15,232 --a--c--- c:\windows\system32\dllcache\mpe.sys 2009-02-18 16:08 . 2001-08-17 13:58 8,320 --a--c--- c:\windows\system32\dllcache\memcard.sys 2009-02-18 16:08 . 2001-08-17 13:52 6,528 --a--c--- c:\windows\system32\dllcache\miniqic.sys 2009-02-18 16:08 . 2001-08-17 13:48 6,016 --a--c--- c:\windows\system32\dllcache\msfsio.sys 2009-02-18 16:06 . 2008-04-14 00:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll 2009-02-18 16:05 . 2001-08-17 22:36 372,824 --a--c--- c:\windows\system32\dllcache\iconf32.dll 2009-02-18 16:04 . 2008-04-14 00:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll 2009-02-18 16:03 . 2001-08-17 13:28 542,879 --a--c--- c:\windows\system32\dllcache\hsf_msft.sys 2009-02-18 16:02 . 2001-08-17 13:28 907,456 --a--c--- c:\windows\system32\dllcache\hcf_msft.sys 2009-02-18 16:01 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll 2009-02-18 16:00 . 2001-08-17 12:17 629,952 --a--c--- c:\windows\system32\dllcache\eqn.sys 2009-02-18 15:59 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys 2009-02-18 15:58 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys 2009-02-18 15:57 . 2001-08-17 12:13 980,034 --a--c--- c:\windows\system32\dllcache\cicap.sys 2009-02-18 15:56 . 2001-08-17 13:28 714,698 --a--c--- c:\windows\system32\dllcache\cbmdmkxx.sys 2009-02-18 15:55 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys 2009-02-18 15:54 . 2001-08-17 12:12 97,354 --a--c--- c:\windows\system32\dllcache\aspndis3.sys 2009-02-18 15:41 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys 2009-02-18 15:40 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll 2009-02-18 13:46 . 2009-02-18 13:46 <DIR> d-------- C:\_OTMoveIt 2009-02-18 11:47 . 2009-02-18 11:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-17 23:00 . 2009-02-17 23:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-17 23:00 . 2009-02-17 23:00 <DIR> d-------- c:\documents and settings\Roman Haraburda\Application Data\Malwarebytes 2009-02-17 23:00 . 2009-02-17 23:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-17 23:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-17 23:00 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-17 18:22 . 2009-02-17 18:02 15,688 --a------ c:\windows\system32\lsdelete.exe 2009-02-17 18:02 . 2009-02-17 18:02 64,160 --a------ c:\windows\system32\drivers\Lbd.sys 2009-02-17 17:25 . 2009-02-17 17:25 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-18 17:07 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\POPFile 2009-02-18 17:07 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki 2009-02-18 17:04 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\Free Download Manager 2009-02-18 00:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-02-18 00:10 --------- d-----w c:\program files\SpywareBlaster 2009-02-18 00:03 --------- d-----w c:\program files\Spyware Doctor 2009-02-18 00:02 81,288 ----a-w c:\windows\system32\drivers\iksyssec.sys 2009-02-18 00:02 66,952 ----a-w c:\windows\system32\drivers\iksysflt.sys 2009-02-18 00:02 40,840 ----a-w c:\windows\system32\drivers\ikfilesec.sys 2009-02-17 17:23 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-17 17:09 --------- d-----w c:\program files\Free Download Manager 2009-02-17 15:45 --------- d-----w c:\program files\BitComet 2009-02-17 11:37 --------- d-----w c:\program files\Windows Desktop Search 2009-02-16 21:06 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-16 21:03 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-16 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy 2009-02-16 16:35 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-14 23:30 --------- d-----w c:\program files\Lavalys 2009-02-13 11:43 --------- d-----w c:\program files\WinFax 2009-02-06 18:23 --------- d-----w c:\program files\Native Instruments 2009-02-06 18:08 --------- d-----w c:\program files\Google 2009-02-06 17:49 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-05 23:49 --------- d-----w c:\program files\SpeedFan 2009-02-05 23:31 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\Uniblue 2009-02-02 17:38 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2009-02-01 16:37 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-01 16:37 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-02-01 16:37 --------- d-----w c:\documents and settings\All Users\Application Data\Avg8 2009-01-23 21:36 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2009-01-02 22:50 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\DVDFab 2009-01-02 22:48 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\Vso 2008-12-31 08:54 --------- d-----w c:\program files\MSN Messenger 2008-12-30 22:12 --------- d-----w c:\documents and settings\LocalService\Application Data\agi 2008-12-30 22:11 --------- d-----w c:\program files\Kiwee Toolbar 2008-12-29 10:31 --------- d-----w c:\documents and settings\Roman Haraburda\Application Data\Apple Computer 2008-12-29 10:26 --------- d-----w c:\program files\Apple Software Update 2008-12-29 10:26 --------- d-----w c:\documents and settings\All Users\Application Data\Apple 2008-01-22 00:05 47,360 ----a-w c:\documents and settings\Roman Haraburda\Application Data\pcouffin.sys 2007-12-27 23:41 2,293,848 ----a-w c:\program files\FLV PlayerFCSetup.exe 2008-03-07 12:51 8 --sha-r c:\windows\system32\3C24FD206F.sys 2008-03-07 14:02 1,056 --sha-w c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-31 3399727] "STManager"="c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 118784] "EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2005-03-09 98304] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-30 68856] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600] "EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2005-03-09 98304] "SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2007-06-11 901120] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "QuickTime Task"="c:\program files\MpcStar\Codecs\QuickTime\QTTask.exe" [2009-01-05 413696] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-17 509784] "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe] "VTTimer"="VTTimer.exe" [2005-03-07 c:\windows\system32\VTTimer.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544] c:\documents and settings\Roman Haraburda\Start Menu\Programs\Startup\ Run POPFile.lnk - c:\program files\POPFile\runpopfile.exe [2006-02-16 69010] Shortcut to ROMAN.OR6.lnk - c:\lotus\work\organize\ROMAN.OR6 [2007-03-29 31327232] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-08-01 111376] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-23 415072] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableCAD"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-01 16:37 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Configuration Wizard.lnk] backup=c:\windows\pss\Configuration Wizard.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check.lnk] backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk] backup=c:\windows\pss\Google Updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus Organizer EasyClip.lnk] backup=c:\windows\pss\Lotus Organizer EasyClip.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk] backup=c:\windows\pss\Office Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk] backup=c:\windows\pss\Photo Express Calendar Checker SE.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk] backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Roman Haraburda^Start Menu^Programs^Startup^Quick StartUp.lnk] backup=c:\windows\pss\Quick StartUp.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Roman Haraburda^Start Menu^Programs^Startup^Start.lnk] backup=c:\windows\pss\Start.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD] --a------ 2008-01-25 10:08 1032376 c:\program files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 11:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-04-03 22:29 165784 c:\program files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43] --a------ 2008-11-17 18:50 827904 c:\program files\dvd43\DVD43_Tray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser] --a------ 2007-12-22 23:03 916240 c:\program files\Eraser\Eraser.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD] --a------ 2007-09-20 10:35 1077032 c:\program files\Nero\Nero8\InCD\InCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx] --a------ 2008-01-25 10:08 1032376 c:\program files\Kontiki\KHost.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel] --a------ 2007-08-23 17:36 455968 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan] --a------ 2007-09-20 09:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE] --a------ 1998-07-03 11:51 25088 c:\program files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2007-05-13 22:23 282624 c:\program files\MpcStar\Codecs\QuickTime\QTSystem\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool] -ra------ 2005-06-20 10:53 1056768 c:\program files\VIA\RAID\raid_tool.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2005-01-12 03:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc] --a------ 2007-09-20 10:36 2044712 c:\program files\Nero\Nero8\InCD\NBHGui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC Service Utility] --a------ 2007-10-09 11:55 665600 c:\program files\SSC Service Utility\ssc_serv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-03-30 15:28 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WFXSwtch] -ra------ 2001-08-08 20:17 26624 c:\progra~1\WinFax\WFXSWTCH.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender] --a------ 2006-11-03 18:20 866584 c:\program files\Windows Defender\MSASCui.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tblfunc] --a------ 2001-08-21 13:56 49152 c:\windows\system32\tblmouse.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter] -ra------ 2001-08-08 20:17 43520 c:\windows\system32\WFXSNT40.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gusvc"=2 (0x2) "Nero BackItUp Scheduler 3"=2 (0x2) "LightScribeService"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\BitLord\\BitLord.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "22436:TCP"= 22436:TCP:BitComet 22436 TCP "22436:UDP"= 22436:UDP:BitComet 22436 UDP "6346:TCP"= 6346:TCP:shareaza "6346:UDP"= 6346:UDP:shareaza R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-17 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-07-29 325128] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-07-29 107272] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-29 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-29 298264] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] R3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2007-03-30 15104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096] S3 NETIMFLT;PANDA NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\netimflt.sys --> c:\windows\system32\DRIVERS\netimflt.sys [?] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-04-02 356920] S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-08-08 30464] S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-08-08 12672] S3 tablet;Serial Tablet Driver;c:\windows\system32\drivers\tablet.sys [2000-06-07 23125] S3 tbfilter;Tablet Filter Driver;c:\windows\system32\drivers\tbfilter.sys [2000-06-07 7383] S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-11-16 16896] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] "c:\program files\Common Files\LightScribe\LSRunOnce.exe" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}] c:\program files\PixiePack Codec Pack\InstallerHelper.exe . Contents of the 'Scheduled Tasks' folder 2009-02-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-17 18:02] 2009-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-02-18 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] 2009-02-14 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] 2007-11-02 c:\windows\Tasks\Uniblue SpeedUpMyPC.job - c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [] . - - - - ORPHANS REMOVED - - - - BHO-{9A2FA9C8-1AEA-41BA-9C4A-0527891762D7} - (no file) BHO-{BE49F1EE-346B-42DA-811B-D76863CA24BD} - (no file) HKCU-Run-fsm - (no file) HKLM-Run-Cmaudio - cmicnfg.cpl Notify-avldr - avldr.dll Notify-byXPHaYO - byXPHaYO.dll . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.tiscali.co.uk/ uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - c:\lotus\org6\organize\bandobjs.dll TCP: {1CDFC8FA-ADFF-4417-AD55-7F591955CBDD} = 212.139.132.10 212.139.132.11 DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab FF - ProfilePath - c:\documents and settings\Roman Haraburda\Application Data\Mozilla\Firefox\Profiles\2hgq7puf.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin.dll FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin2.dll FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin3.dll FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin4.dll FF - plugin: c:\program files\MpcStar\Codecs\QuickTime\Plugins\npqtplugin5.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-18 17:06:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Nero\Nero8\InCD\InCDsrv.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Kontiki\KService.exe c:\windows\system32\PSIService.exe c:\windows\system32\wt32exe.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\rundll32.exe c:\progra~1\POPFile\popfileib.exe . ************************************************************************** . Completion time: 2009-02-18 17:10:11 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-18 17:10:08 Pre-Run: 102,608,998,400 bytes free Post-Run: 102,600,237,056 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7 439 --- E O F --- 2009-02-17 10:44:46
  9. I have winXP home; Mozilla 5.0; Firefox 3.0.6. ; AVG8 When i do a search from the google search field in Firefox, a list appears. However, clicking on a link in the list, instead of going to the website, Firefox gets redirected to an Advert page or different search page or even to an ebay page ! However if i do a search from the AVG/Yahoo search field, the resulting links DO NOT redirect me and take me directly to the website. When I looked in Firefox bookmarks, I saw multiple copies of redirected sites. I do NOT see this issue with IE7+google. I have run Adaware+ Spybot + Spydoctor+ Malwarebytes + combofix+spywareblaster+AVG8 in safe mode and with system restore turned off and I still have a browser hijacker problem. However when i upgraded to Gran Paradiso (Firefox 3.0.8 en-US) , the problem disappered. According to Mozilla support the malware must have been looking for entries with the term 'Firefox'. Whilst this workaround is working OK, I am aware that the malware that was hijacking Firefox 3 is still embedded somewhere in the system. I can run Rootkit reveal, ListDll and Hijackthis but I dont know what i am looking for. Can anyone help remove this piece of s**t from my system. sad.gif I have enclosed a Hijackthis logfile THANKS Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:44:05, on 18/02/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\a-squared Free\a2service.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Wt32exe.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Free Download Manager\fdm.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\POPFile\popfileib.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe C:\Documents and Settings\Roman Haraburda\Desktop\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {9A2FA9C8-1AEA-41BA-9C4A-0527891762D7} - (no file) O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll O2 - BHO: (no name) - {BE49F1EE-346B-42DA-811B-D76863CA24BD} - (no file) O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: (no name) - {DF986C2C-446C-49B7-913D-DBB1BAE4DC17} - (no file) O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Skype Toolbar for Internet Explorer - {B13721C7-F507-4982-B2E5-502A71474FED} - C:\Program Files\Skype\toolbars\Skype for Internet Explorer\skype_toolbar.dll O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220" O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\MpcStar\Codecs\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun O4 - HKCU\..\Run: [sTManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b O4 - HKCU\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [rmoc3260.dll OCX] regsvr32.exe /s "C:\WINDOWS\system32\rmoc3260.dll" (User 'Default user') O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe O4 - Startup: Shortcut to ROMAN.OR6.lnk = C:\lotus\work\organize\ROMAN.OR6 O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Skype Toolbar for Internet Explorer - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\toolbars\SKYPEF~1\EASYHI~1.DLL O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - C:\lotus\org6\organize\bandobjs.dll O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1CDFC8FA-ADFF-4417-AD55-7F591955CBDD}: NameServer = 212.139.132.10 212.139.132.11 O17 - HKLM\System\CS1\Services\Tcpip\..\{1CDFC8FA-ADFF-4417-AD55-7F591955CBDD}: NameServer = 212.139.132.10 212.139.132.11 O17 - HKLM\System\CS3\Services\Tcpip\..\{1CDFC8FA-ADFF-4417-AD55-7F591955CBDD}: NameServer = 212.139.132.10 212.139.132.11 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O20 - Winlogon Notify: byXPHaYO - C:\WINDOWS\ O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe -- End of file - 13225 bytes
  10. I have winXP home; Mozilla 5.0; Firefox 3.0.6. ; AVG8 When i do a search from the google search field in Firefox, a list appears. However, clicking on a link in the list, instead of going to the website, Firefox gets redirected to an Advert page or different search page or even to an ebay page ! However if i do a search from the AVG/Yahoo search field, the resulting links DO NOT redirect me and take me directly to the website. When I looked in Firefox bookmarks, I saw multiple copies of redirected sites. I do NOT see this issue with IE7+google. I have run Adaware+ Spybot + Spydoctor+ Malwarebytes + combofix+spywareblaster+AVG8 in safe mode and with system restore turned off and I still have a browser hijacker problem. However when i upgraded to Gran Paradiso (Firefox 3.0.8 en-US) , the problem disappered. According to Mozilla support the malware must have been looking for entries with the term 'Firefox'. Whilst this workaround is working OK, I am aware that the malware that was hijacking Firefox 3 is still embedded somewhere in the system. I can run Rootkit reveal, ListDll and Hijackthis but I dont know what i am looking for. Can anyone help remove this piece of s**t from my system. THANKS